Wormable Flaw, 0days Lead Sept. 2022 Patch Tuesday

2022-09-14T00:23:45

Description

This month's Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in **Microsoft Windows** that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, **Apple** has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released **iOS 16**, which offers a new privacy and security feature called "**Lockdown Mode**." And **Adobe** axed 63 vulnerabilities in a range of products. ![](https://krebsonsecurity.com/wp-content/uploads/2022/09/computerguys.png) Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>), which is a "privilege escalation" weakness in the **Windows Common Log File System Driver** that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild. **Kevin Breen**, director of cyber threat research at **Immersive Labs**, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list. "Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers," Breen said. "Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround to date, so patching is the only effective mitigation." **Satnam Narang** at **Tenable** said [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) -- a similar vulnerability in the same Windows log file component -- was patched earlier this year as part of [Microsoft’s April Patch Tuesday release](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>) and was also exploited in the wild. "CVE-2022-37969 was disclosed by several groups, though it’s unclear if CVE-2022-37969 is a patch-bypass for CVE-2022-24521 at this point," Narang said. Another vulnerability Microsoft patched this month -- [CVE-2022-35803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35803>) -- also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not. Trend Micro's **Dustin Childs** called attention to [CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>), a remote code execution flaw in the **Windows TCP/IP** service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. "That officially puts it into the 'wormable' category and earns it a CVSS rating of 9.8," Childs said. "However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly." **Cisco Talos** warns about four critical vulnerabilities fixed this month -- [CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) and [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) -- which have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. "These are remote code execution vulnerabilities in the **Windows Internet Key Exchange** protocol that could be triggered if an attacker sends a specially crafted IP packet," [wrote](<https://blog.talosintelligence.com/2022/09/microsoft-patch-tuesday-for-september.html>) **Jon Munshaw** and **Asheer Malhotra**. "Two other critical vulnerabilities, [CVE-2022-35805](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35805>) and [CVE-2022-34700](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34700>) exist in on-premises instances of **Microsoft Dynamics 365**. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner." ![](https://krebsonsecurity.com/wp-content/uploads/2022/09/lockdownmode.png)Not to be outdone, Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari. CVE-2022-32984 is a problem in the deepest recesses of the operating system (the kernel). Apple pushed [an emergency update](<https://nakedsecurity.sophos.com/2022/08/18/apple-patches-double-zero-day-in-browser-and-kernel-update-now/>) for a related zero-day last month in CVE-2022-32983, which could be used to foist malware on iPhones, iPads and Macs that visited a booby-trapped website. Also listed under active attack is **CVE-2022-32817**, which has been fixed on macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 15.7 and iPadOS 15.7, and iOS 16. The same vulnerability [was fixed in Apple Watch in July 2022](<https://support.apple.com/en-us/HT213340>), and credits **Xinru Chi** of Japanese cybersecurity firm **Pangu Lab**. "Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS," Trend Micro's Childs noted. "Apple does state in its iOS 16 advisory that 'Additional CVE entries to be added soon.' It’s possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices." Apple's iOS 16 includes two new security and privacy features -- [Lockdown Mode](<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>) and [Safety Check](<https://support.apple.com/guide/personal-safety/how-safety-check-works-ips2aad835e1/web>). **Wired.com** describes Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse. "The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions," [wrote](<https://www.wired.com/story/apple-ios-16-safety-check-lockdown-mode/>) **Lily Hay Newman**. "Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS's general security defenses haven't been able to keep pace with these specialized threats." To turn on Lockdown Mode in iOS 16, go to **Settings**, then **Privacy and Security**, then **Lockdown Mode**. Safety Check is located in the same area. Finally, Adobe released [seven patches](<https://helpx.adobe.com/security.html>) addressing 63 security holes in **Adobe Experience Manager**, **Bridge**, **InDesign**, **Photoshop**, **InCopy**, **Animate**, and **Illustrator**. More on those updates is [here](<https://helpx.adobe.com/security.html>). Don't forget to back up your data and/or system before applying any security updates. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

{"malwarebytes": [{"lastseen": "2022-09-15T00:03:31", "description": "The Microsoft [September 2022 Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>) includes fixes for two publicly disclosed zero-day vulnerabilities, one of which is known to be actively exploited.\n\nFive of the 60+ security vulnerabilities were rated as "Critical", and 57 as important. Two vulnerabilities qualify as zero-days, with one of them being actively exploited.\n\n## Zero-days\n\nThe first zero-day, [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969>), is a Windows Common Log File System Driver Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges, although the attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system. This flaw is already being exploited in the wild.\n\nPrivilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.\n\nThe second zero-day, [CVE-2022-23960,](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-23960>) is an Arm cache speculation restriction vulnerability that is unlikely to be exploited. Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mis-predicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. The vulnerability was [disclosed](<https://www.vusec.net/projects/bhi-spectre-bhb/>) in March by researchers at VUSec.\n\n## The critical vulnerabilities\n\n[CVE-2022-35805](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35805>) and [CVE-2022-34700](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34700>) are both Microsoft Dynamics CRM (on-premises) Remote Code Execution (RCE) vulnerabilities. An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 365 database.\n\n[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>): a Windows TCP/IP RCE vulnerability with a [CVSS score](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 9.8 out of 10. An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. Only systems with the IPSec service running are vulnerable to this attack. Systems are not affected if IPv6 is disabled on the target machine.\n\n[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) and [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>): are both Windows Internet Key Exchange (IKE) Protocol Extensions RCE vulnerabilities with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. The vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones:\n\n * Adobe [released seven patches](<https://helpx.adobe.com/security.html>) addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator.\n * Earlier this month, the [Android security bulletin for September](<https://source.android.com/docs/security/bulletin/2022-09-01>) came out, which was followed up with a [Pixel specific update](<https://www.malwarebytes.com/blog/news/2022/09/update-now-google-patches-vulnerabilities-for-pixel-mobile-phones>).\n * Apple fixed at least [two zero-day vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/09/update-now-apple-devices-are-exposed-to-a-new-zero-day-flaw>) when it released updates for iOS, iPadOS, macOS and Safari.\n * Cisco [released security updates](<https://tools.cisco.com/security/center/publicationListing.x>) for numerous products this month.\n * Google released a [fix for a Chrome zero-day](<https://www.malwarebytes.com/blog/news/2022/09/update-chrome-asap-a-new-zero-day-is-already-being-exploited>).\n * Samsung has released a new [security update](<https://security.samsungmobile.com/securityUpdate.smsb>) for major flagship models.\n * SAP published its [September 2022 Patch Day](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) updates.\n * VMware released [security advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0024.html>) for VMware Tools.\n\nStay patched!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T12:00:00", "type": "malwarebytes", "title": "Update now! Microsoft patches two zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-34700", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-35805", "CVE-2022-37969"], "modified": "2022-09-14T12:00:00", "id": "MALWAREBYTES:8FF6ADCDE71AD78C1537280203BB4A22", "href": "https://www.malwarebytes.com/blog/news/2022/09/update-now-microsoft-patches-two-zero-days", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-12-20T00:10:35", "description": "A critical vulnerability can send countless organizations into chaos, as security teams read up on the vulnerability, try to figure out whether it applies to their systems, download any potential patches, and deploy those fixes to affected machines. But a lot can go wrong when a vulnerability is discovered, disclosed, and addressed--an inflated severity rating, a premature disclosure, even a mixup in names.\n\nIn these instances, when the security community is readying itself for a major sea change, what it instead gets is a ripple. Here are some of the last year's biggest miscommunications and errors in security vulnerabilities. \n\n## 1\\. \"Wormable\"\n\nThere are some qualifications for vulnerabilities that send shivers up the spine of the security community as a whole. A "wormable" vulnerability is used when the possibility exists that an infected system can contribute as an active source to infect other systems. This makes the growth potential of an infection exponential. You'll often see the phrase "WannaCry like proportions" used as a warning about how bad it could get.\n\nWhich brings us to our first example: [CVE-2022-34718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34718>), a Windows TCP/IP Remote Code Execution (RCE) vulnerability with a [CVSS rating](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 9.8. The vulnerability could have allowed an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction, which makes it \"wormable,\" but in the end, it turned out to be not so bad since it only affected systems with IPv6 and IPSec enabled and it was patched before an in-depth analysis of the vulnerability was [publicly disclosed](<https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf>).\n\n## 2\\. Essential building blocks\n\nSomething we've learned the hard way is that there are very popular libraries maintained by volunteers, that many other applications rely on. A library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal which can be called upon when needed so they do not have to be included in the code of the software. A prime example of such a library that caused quite some havoc was [Log4j](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>).\n\nSo, when [OpenSSL announced](<https://www.malwarebytes.com/blog/news/2022/10/critical-openssl-fix-due-november-1st-get-ready-to-patch>) a fix for a critical issue in OpenSSL, everybody remembered that the last time OpenSSl fixed a critical vulnerability, that vulnerability was known as [Heartbleed](<https://www.malwarebytes.com/blog/news/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability>). The Heartbleed vulnerability was discovered and patched in 2014, but infected systems kept popping up for years.\n\nHowever, when the patch came out for the more recent OpenSSL issue, it turned out the bug had been [downgraded in severity](<https://www.malwarebytes.com/blog/news/2022/11/openssl-bug-downgraded-in-severity-patches-now-available>). That was good news all around: The patch for the two vulnerabilities is available, and the announced vulnerability wasn't as severe as we expected. And there is no known exploit for the vulnerabilities doing the rounds.\n\n## 3\\. Zero-day\n\nThe different interpretations for the term zero-day tend to be confusing as well.\n\nThe most accepted definition is:\n\n> "A zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw."\n\nBut you will almost as often see something called a zero-day because the patch is not available yet, even though the party or parties responsible for patching or otherwise fixing the flaw are aware of the vulnerability. For example, Microsoft uses this definition:\n\n> "A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available."\n\nThe difference is significant. The fact that a vulnerability exists is true for almost any complex platform or software. Someone has to find such a vulnerability before it becomes a risk. Then it depends on the researcher finding the flaw whether it becomes a threat. If the researcher follows the rules of responsible disclosure, the vendor will be made aware of the existence of the flaw before anyone else, and the vendor will have a chance to find and publish a fix for the bug before any malicious actors find out about it.\n\nSo, for a vulnerability to be alarming, I would argue it has to be used in the wild or a public Proof-of-Concept has to be available _before_ the patch has been released.\n\nAs an example of where this went wrong, a set of critical RCE [vulnerabilities in WhatsApp](<https://www.malwarebytes.com/blog/news/2022/09/critical-whatsapp-vulnerabilities-patched-check-youve-updated>) got designated as a zero-day by several outlets, including some that should know better. As it turned out, the vulnerabilities listed as [CVE-2022-36934](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36934>) and [CVE-2022-27492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27492>) were found by the WhatsApp internal security team and silently fixed, so they never posed any actual risk to any user. Yes, the consequences would have been disastrous if threat actors had found the vulnerabilities before the WhatsApp team did, but there never were any indications that these vulnerabilities had been exploited.\n\n## 4\\. Spring4Shell\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database as an individual number. CVE numbers are very helpful because they are unique and used in many reliable sources, so they make it easy to find a lot of information about a particular vulnerability. But they are hard to remember (for me at least). Coming up with fancy names and logos for vulnerabilities names, such as Log4Shell, Heartbleed, and Meltdown/Spectre helps us to tell them apart.\n\nBut when security experts themselves start to confuse different vulnerabilities in the same framework and researchers disclose details about an unpatched vulnerability because they think the information is out anyway, serious problems can arise.\n\nIn March, two RCE vulnerabilities were being discussed on the internet. Most of the people talking about them believed they were talking about "Spring4Shell" ([CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>)), but in reality they were discussing [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>). To add to the stress, a Chinese researcher prematurely spilled details about the vulnerability before the developer of the vulnerable Spring Framework could come up with a patch. This may have been due to the confusion about the two vulnerabilities.\n\nIn the end, Spring4Shell fizzled, working only for certain configurations and not for an out-of-the-box install.\n\n## Public service or not?\n\nSo, are we doing the public a service by writing about vulnerabilities? We feel we are, because it is good to raise awareness about the existence of vulnerabilities. But, to be effective, we need to meet certain criteria.\n\n * First of all, it needs to be made clear who is affected and who needs to do something about it. And what you can do to protect yourself.\n * While it is not always easy to make an assessment about the threat level, since we often don't have the exact details of a vulnerability, it is desirable to not exaggerate the impact.\n * Make it very clear whether or not a threat is being used in the wild if you have that information.\n\nIn a recent assessment, security researcher [Amelie Koran](<https://infosec.exchange/@webjedi>) said on Mastodon that the economic costs of Heartbleed were mostly due to vulnerability assessment and patching and not necessarily lost or stolen data. Not that it wouldn't have backfired if the patch hadn't been deployed, but it is something to keep in mind. A panic situation can do more harm than the actual threat.\n\n* * *\n\n**We don't just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<https://www.malwarebytes.com/for-home>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-19T01:00:00", "type": "malwarebytes", "title": "4 over-hyped security vulnerabilities of 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965", "CVE-2022-27492", "CVE-2022-34718", "CVE-2022-36934"], "modified": "2022-12-19T01:00:00", "id": "MALWAREBYTES:30F9B0094E0BC177A7D657BF67D87E39", "href": "https://www.malwarebytes.com/blog/news/2022/12/4-times-security-vulnerabilities-were-blown-out-of-proportion-in-2022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-19T21:28:45", "description": "It\u2019s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.\n\n## Microsoft\n\nMicrosoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.\n\nFor those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:\n\n * [CVE-2022-24500](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24500>) [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability\n * [CVE-2022-24541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24541>) CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability\n * [CVE-2022-26809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26809>) CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability\n * [CVE-2022-26919](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26919>) CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability\n\nCVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.\n\n> We've learned nothing. ![\ud83e\udd74](https://s.w.org/images/core/emoji/13.1.0/72x72/1f974.png) \nCVE-2022-26809 is going to ruin some weekends.<https://t.co/mD6irwPdUs>[#CyberSecurity](<https://twitter.com/hashtag/CyberSecurity?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/szPhauAIrv](<https://t.co/szPhauAIrv>)\n> \n> -- Jon Gorenflo ![\ud83c\uddfa\ud83c\udde6](https://s.w.org/images/core/emoji/13.1.0/72x72/1f1fa-1f1e6.png)![\ud83c\udf3b](https://s.w.org/images/core/emoji/13.1.0/72x72/1f33b.png) (@flakpaket) [April 12, 2022](<https://twitter.com/flakpaket/status/1514029843335237636?ref_src=twsrc%5Etfw>)\n\nMicrosoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:\n\n * [CVE-2022-26904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26904>) CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.\n * [CVE-2022-24521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24521>) CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.\n\nOther notable CVEs:\n\n * [CVE-2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>)[22-24491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24491>) CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the [NFS role](<https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview>) enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.\n * [CVE-2022-24997](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24997>) CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.\n\nOn these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available [here](<https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard>).\n\nA vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.\n\nIn related news, Microsoft [announced](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839>) the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).\n\n## Edge and Chrome\n\nThe Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.\n\n## Other updates\n\nWhile you're at it, we also saw updates from vendors like:\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [VMWare](<https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1>)\n\nStay safe, everyone!\n\nThe post [April's Patch Tuesday update includes fixes for two zero-day vulnerabilities](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/aprils-patch-tuesday-update-includes-fixes-for-two-zero-day-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T13:57:39", "type": "malwarebytes", "title": "April\u2019s Patch Tuesday update includes fixes for two zero-day vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24491", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-24997", "CVE-2022-26809", "CVE-2022-26904", "CVE-2022-26919"], "modified": "2022-04-13T13:57:39", "id": "MALWAREBYTES:EF0C1E45728B8347B58DBE1D76A5F156", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/aprils-patch-tuesday-update-includes-fixes-for-two-zero-day-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-10-12T08:05:16", "description": "[![Windows Zero-Day](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiq0vVMccKuTq9vBkLdPdqmhFsx4VGp16Gn_0agg6m1Mm6VnBpjWpj1B3PtCDO02Rc8BuDFnPaz2MQCSdWR5Xln_UfGBJaXtNH7W4LmT5CCSulXkepNrK6B9RERXqqKwakUvLmKjJJlRYVvrsB9JV9eAezHUBd4exVXef3ElX_W1Z_q4FP6c-ROsjuK/s728-e1000/windows.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiq0vVMccKuTq9vBkLdPdqmhFsx4VGp16Gn_0agg6m1Mm6VnBpjWpj1B3PtCDO02Rc8BuDFnPaz2MQCSdWR5Xln_UfGBJaXtNH7W4LmT5CCSulXkepNrK6B9RERXqqKwakUvLmKjJJlRYVvrsB9JV9eAezHUBd4exVXef3ElX_W1Z_q4FP6c-ROsjuK/s728-e100/windows.jpg>)\n\nTech giant Microsoft on Tuesday shipped fixes to quash [64 new security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>) across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.\n\nOf the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to [16 vulnerabilities](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) that Microsoft addressed in its Chromium-based Edge browser earlier this month.\n\n\"In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months,\" Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.\n\n\"However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 \u2013 likely on track to surpass 2021, which patched 1,200 CVEs in total.\"\n\nThe actively exploited vulnerability in question is [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969>) (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System ([CLFS](<https://docs.microsoft.com/en-us/previous-versions/windows/desktop/clfs/common-log-file-system-portal>)) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.\n\n\"An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system,\" Microsoft said in an advisory.\n\nThe tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.\n\nCVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after [CVE-2022-24521](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) (CVSS score: 7.8) since the start of the year, the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.\n\nIt's not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows -\n\n * [**CVE-2022-34718**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718>) (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability\n * [**CVE-2022-34721**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34721>) (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability\n * [**CVE-2022-34722**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34722>) (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability\n * [**CVE-2022-34700**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34700>) (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability\n * [**CVE-2022-35805**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35805>) (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability\n\n\"An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation,\" Microsoft said about CVE-2022-34721 and CVE-2022-34722.\n\nAlso resolved by Microsoft are 15 remote code execution flaws in [Microsoft ODBC Driver](<https://twitter.com/HaifeiLi/status/1569741391349313536>), Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.\n\nThe September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module ([CVE-2022-38005](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38005>), CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions. \n\nLastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called [Branch History Injection](<https://thehackernews.com/2022/03/new-exploit-bypasses-existing-spectre.html>) or [Spectre-BHB](<https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB>) (CVE-2022-23960) that came to light earlier this March.\n\n\"This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening,\" Jogi said. \"If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.\"\n\n### Software Patches from Other Vendors\n\nAside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/docs/security/bulletin/2022-09-01>)\n * [Apache](<https://news.apache.org/foundation/entry/the-apache-news-round-up270>) [Projects](<https://news.apache.org/foundation/entry/the-apache-news-round-up270-2>)\n * [Apple](<https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://support.f5.com/csp/new-updated-articles>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=09-2022>)\n * [GitLab](<https://about.gitlab.com/releases/2022/09/05/gitlab-15-3-3-released/>)\n * [Google Chrome](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>)\n * [HP](<https://thehackernews.com/2022/09/high-severity-firmware-security-flaws.html>)\n * [IBM](<https://www.ibm.com/blogs/psirt/>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/September-2022>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2022-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>)\n * [VMware](<https://www.vmware.com/security/advisories.html>), and\n * [WordPress](<https://wordpress.org/news/2022/09/dropping-security-updates-for-wordpress-versions-3-7-through-4-0/>) (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T04:42:00", "type": "thn", "title": "Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-24521", "CVE-2022-34700", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-35805", "CVE-2022-37969", "CVE-2022-38005"], "modified": "2022-10-12T07:11:08", "id": "THN:D010C92A9BC9913717ECAC2624F32E80", "href": "https://thehackernews.com/2022/09/microsofts-latest-security-update-fixes.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-15T06:13:26", "description": "[![Microsoft Patch Tuesdays](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhJcMd3_5v9AfJeccyNG75bWutsql3ZWUQopaddjFIniiwaHARP25cBu8hBIZVDJUIqPwdaIHPb7rSEvso0ThjD0TRU4MY2SHxjiVunEhFrlGstBY93fIcrVAr2SyU3lrCvFnaVvNPPA3mJM1cncQcVYJnaDqM2KEb4WvCFQ7qcZ9G10xetXKZcG63C/s728-e365/ms.png>)\n\nMicrosoft on Tuesday released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb>) to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.\n\nThe updates are in addition to 22 flaws the Windows maker [patched](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in its Chromium-based Edge browser over the past month.\n\nOf the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows -\n\n * [**CVE-2023-21715**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715>) (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability\n * [**CVE-2023-21823**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823>) (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability\n * [**CVE-2023-23376**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376>) (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability\n\n\"The attack itself is carried out locally by a user with authentication to the targeted system,\" Microsoft said in advisory for CVE-2023-21715.\n\n\"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.\"\n\nSuccessful exploitation of the above flaws could enable an adversary to bypass Office macro policies used to block untrusted or malicious files or gain SYSTEM privileges.\n\nCVE-2023-23376 is also the third actively exploited zero-day flaw in the CLFS component after [CVE-2022-24521](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) and [CVE-2022-37969](<https://thehackernews.com/2022/09/microsofts-latest-security-update-fixes.html>) (CVSS scores: 7.8), which were addressed by Microsoft in April and September 2022.\n\n\"The Windows Common Log File System Driver is a component of the Windows operating system that manages and maintains a high-performance, transaction-based log file system,\" Immersive Labs' Nikolas Cemerikic said.\n\n\"It is an essential component of the Windows operating system, and any vulnerabilities in this driver could have significant implications for the security and reliability of the system.\"\n\nIt's worth noting that Microsoft OneNote for Android is vulnerable to CVE-2023-21823, and with the note-taking service increasingly emerging as a [conduit for delivering malware](<https://thehackernews.com/2023/02/post-macro-world-sees-rise-in-microsoft.html>), it's crucial that users apply the fixes.\n\nAlso addressed by Microsoft are multiple RCE defects in Exchange Server, ODBC Driver, PostScript Printer Driver, and SQL Server as well as denial-of-service (DoS) issues impacting Windows iSCSI Service and Windows Secure Channel.\n\nThree of the Exchange Server flaws are classified by the company as \"Exploitation More Likely,\" although successful exploitation requires the attacker to be already authenticated.\n\nExchange servers have [proven](<https://thehackernews.com/2023/01/microsoft-urges-customers-to-secure-on.html>) to be [high-value targets](<https://www.tenable.com/blog/proxynotshell-owassrf-tabshell-patch-your-microsoft-exchange-servers-now>) in recent years as they can enable unauthorized access to sensitive information, or facilitate Business Email Compromise (BEC) attacks.\n\n## Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/docs/security/bulletin/2023-02-01>)\n * [Apple](<https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html>)\n * [Atlassian](<https://thehackernews.com/2023/02/atlassians-jira-software-found.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Drupal](<https://www.drupal.org/security>)\n * [F5](<https://my.f5.com/manage/s/article/K000130496>)\n * [GitLab](<https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/support/pages/bulletin/>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/February-2023>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [NETGEAR](<https://www.netgear.com/about/security/>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Palo Alto Networks](<https://security.paloaltonetworks.com/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2023-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [Samsung](<https://security.samsungmobile.com/securityUpdate.smsb>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Sophos](<https://www.sophos.com/en-us/security-advisories>)\n * [Synology](<https://www.synology.com/en-in/security/advisory>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>)\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n * [Zoho](<https://pitstop.manageengine.com/portal/en/community/filter/announcement>), and\n * [Zyxel](<https://www.zyxel.com/global/en/support/security-advisories>)\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-15T04:21:00", "type": "thn", "title": "Update Now: Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-37969", "CVE-2023-21715", "CVE-2023-21823", "CVE-2023-23376"], "modified": "2023-02-15T04:21:13", "id": "THN:2FAF5419051DEBA89A6A8764081CBE01", "href": "https://thehackernews.com/2023/02/update-now-microsoft-releases-patches.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-15T01:49:45", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEitadGZXUXI4AOCkyRlt3uzppCEI3XFEURao07SuyRwP6I1Lz2YXQUDSMf5SG5xK3buglGbwys2oGRrGeUQds83-g5xALdMI6_bVcoxBKYFMOSgM17lM_oByYddoxLztGk8BTnQ4_vFXIY9tRQ4Ed1hy4_dUgib2H4CShQ8h6nNSwCbeBrJ-zhEHyrO/s728-e100/Windows-Update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEitadGZXUXI4AOCkyRlt3uzppCEI3XFEURao07SuyRwP6I1Lz2YXQUDSMf5SG5xK3buglGbwys2oGRrGeUQds83-g5xALdMI6_bVcoxBKYFMOSgM17lM_oByYddoxLztGk8BTnQ4_vFXIY9tRQ4Ed1hy4_dUgib2H4CShQ8h6nNSwCbeBrJ-zhEHyrO/s728-e100/Windows-Update.jpg>)\n\nDetails have emerged about a now-patched security flaw in Windows Common Log File System (CLFS) that could be exploited by an attacker to gain elevated permissions on compromised machines.\n\nTracked as [CVE-2022-37969](<https://thehackernews.com/2022/09/microsofts-latest-security-update-fixes.html>) (CVSS score: 7.8), the issue was addressed by Microsoft as part of its Patch Tuesday updates for September 2022, while also noting that it was being actively exploited in the wild.\n\n\"An attacker must already have access and the ability to run code on the target system,\" the company [noted](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969>) in its advisory. \"This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.\"\n\nIt also credited researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the vulnerability without delving into additional specifics surrounding the nature of the attacks.\n\nNow, the Zscaler ThreatLabz researcher team has [disclosed](<https://www.zscaler.com/blogs/security-research/technical-analysis-zero-day-vulnerability-cve-2022-37969-part-1-root-cause>) that it captured an in-the-wild exploit for the then zero-day on September 2, 2022.\n\n\"The cause of the vulnerability is due to the lack of a strict bounds check on the field cbSymbolZone in the Base Record Header for the base log file (BLF) in CLFS.sys,\" the cybersecurity firm said in a root cause analysis shared with The Hacker News.\n\n\"If the field cbSymbolZone is set to an invalid offset, an [out-of-bounds write](<https://cwe.mitre.org/data/definitions/787.html>) will occur at the invalid offset.\"\n\n[![Windows Zero-Day Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRixXH9Hg4DMd-bkrwlPROAb4GdXbggPEPOspvcmVpiE4fIEJgV_anWzQXot5WFBM1p3qqLUXjvetkQG1YkRya563j2b5YfHuvnqRvU_3LK2GbXqa6tOcQm13Ror8e9TvrR5XYrygPm7ddzGES05nM1DDLEJwET22FE16VDzxRkm_ZP27tUDHKMIvF/s728-e1000/poc.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRixXH9Hg4DMd-bkrwlPROAb4GdXbggPEPOspvcmVpiE4fIEJgV_anWzQXot5WFBM1p3qqLUXjvetkQG1YkRya563j2b5YfHuvnqRvU_3LK2GbXqa6tOcQm13Ror8e9TvrR5XYrygPm7ddzGES05nM1DDLEJwET22FE16VDzxRkm_ZP27tUDHKMIvF/s728-e100/poc.jpg>)\n\nCLFS is a [general-purpose logging service](<https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-the-common-log-file-system>) that can be used by software applications running in both user-mode or kernel-mode to record data as well as events and optimize log access.\n\nSome of the use cases associated with CLFS include online transaction processing (OLTP), network events logging, compliance audits, and threat analysis.\n\nAccording to Zscaler, the vulnerability is rooted in a metadata block called base record that's present in a [base log file](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/clfs/creating-a-log-file>), which is generated when a log file is created using the CreateLogFile() function.\n\n\"[Base record] contains the [symbol tables](<https://en.wikipedia.org/wiki/Symbol_table>) that store information on the various client, container and security contexts associated with the Base Log File, as well as accounting information on these,\" according to [Alex Ionescu](<https://github.com/ionescu007/clfs-docs>), chief architect at Crowdstrike.\n\nAs a result, a successful exploitation of CVE-2022-37969 via a specially crafted base log file could lead to memory corruption, and by extension, induce a system crash (aka blue screen of death or [BSoD](<https://en.wikipedia.org/wiki/Blue_screen_of_death>)) in a reliable manner.\n\nThat said, a system crash is just one of the outcomes that arises out of leveraging the vulnerability, for it could also be weaponized to achieve privilege escalation.\n\nZscaler has further made available proof-of-concept (PoC) instructions to trigger the security hole, making it essential that users of Windows upgrade to the latest version to mitigate potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T17:34:00", "type": "thn", "title": "Researchers Reveal Detail for Windows Zero-Day Vulnerability Patched Last Month", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-37969"], "modified": "2022-10-15T01:38:37", "id": "THN:92A38DD61E285B0CDD7C80A398BDB187", "href": "https://thehackernews.com/2022/10/researchers-reveal-detail-for-windows.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-26T14:51:13", "description": "[![Vice Society Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjyOiUSyrTGvh6ufFGvLkc3O1z4zyJOQVog8w48TWB67JBQqpFfZoIQlcw7w8cGW0ABfsJSdetJ-a7xoS28tfEkT29EdwdIbnSiLsA4VNJWy0rAW-4ekqEjVrNTW7mb_0OXoIb7yTIt7iES2uQe_Q3-mUTd_NhNEVN4TUo6KYl1Cn5s1N3wrhXN9FHD/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjyOiUSyrTGvh6ufFGvLkc3O1z4zyJOQVog8w48TWB67JBQqpFfZoIQlcw7w8cGW0ABfsJSdetJ-a7xoS28tfEkT29EdwdIbnSiLsA4VNJWy0rAW-4ekqEjVrNTW7mb_0OXoIb7yTIt7iES2uQe_Q3-mUTd_NhNEVN4TUo6KYl1Cn5s1N3wrhXN9FHD/s728-e100/ransomware.jpg>)\n\nA cybercrime group known as **Vice Society** has been linked to multiple ransomware strains in its malicious campaigns aimed at the education, government, and retail sectors.\n\nThe Microsoft Security Threat Intelligence team, which is tracking the threat cluster under the moniker DEV-0832, said the group avoids deploying ransomware in some cases and rather likely carries out extortion using exfiltrated stolen data.\n\n\"Shifting ransomware payloads over time from [BlackCat](<https://thehackernews.com/2022/09/blackcat-ransomware-attackers-spotted.html>), [Quantum Locker](<https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware>), and [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), DEV-0832's latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked,\" the tech giant's cybersecurity division [said](<https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/>).\n\nVice Society, active since June 2021, has been steadily observed encrypting and exfiltrating victim data, and threatening companies with exposure of siphoned information to pressure them into paying a ransom.\n\n\"Unlike other RaaS (Ransomware-as-a-Service) double extortion groups, Vice Society focuses on getting into the victim system to deploy ransomware binaries sold on Dark web forums,\" cybersecurity company SEKOIA [said](<https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/>) in an analysis of the group in July 2022.\n\nThe financially motivated threat actor is known to rely on exploits for publicly disclosed vulnerabilities in internet-facing applications for initial access, while also using PowerShell scripts, repurposed legitimate tools, and commodity backdoors such as [SystemBC](<https://thehackernews.com/2020/12/ransomware-attackers-using-systembc.html>) prior to deploying the ransomware.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgnSYNgIGYh4RKJNWOt90zF3uAXZnv74Cd4rglNTW3jfh5Iaks75NZIlh8koQbP5sbAHi6Dezt7wpobiwvszy0bxZOZT-pVbIXv5E06u2sNZKlM8YWx8pJh9nO1bAdQzyT-EAUNu0ltiLC1emy1wKWLuxvSRDiAMYkc2u2zU7NNFg-t1QBRI9n_mMDA/s728-e100/Windows.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgnSYNgIGYh4RKJNWOt90zF3uAXZnv74Cd4rglNTW3jfh5Iaks75NZIlh8koQbP5sbAHi6Dezt7wpobiwvszy0bxZOZT-pVbIXv5E06u2sNZKlM8YWx8pJh9nO1bAdQzyT-EAUNu0ltiLC1emy1wKWLuxvSRDiAMYkc2u2zU7NNFg-t1QBRI9n_mMDA/s728-e100/Windows.jpg>)\n\nVice Society actors have also been spotted leveraging Cobalt Strike for lateral movement, in addition to creating scheduled tasks for persistence and abusing vulnerabilities in Windows Print Spooler (aka [PrintNightmare](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)) and Common Log File System ([CVE-2022-24521](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)) to escalate privileges.\n\n\"Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files, using process injection, and likely use evasion techniques to defeat automated dynamic analysis,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>) last month.\n\nIn one July 2022 incident disclosed by Microsoft, the threat actor is said to have attempted to initially deploy QuantumLocker executables, only to follow it up with suspected Zeppelin ransomware binaries five hours later.\n\n\"Such an incident might suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution,\" Redmond pointed out.\n\nAmong other tools utilized by DEV-0832 is a Go-based backdoor called PortStarter that offers the capability to alter firewall settings and open ports to establish connections with pre-configured command-and-control (C2) servers.\n\nVice Society, aside from taking advantage of living-off-the-land binaries (LOLBins) to run malicious code, has also been found attempting to turn off Microsoft Defender Antivirus using registry commands.\n\nData exfiltration is eventually achieved by launching a PowerShell script that transmits wide-ranging sensitive information, ranging from financial documents to medical data, to a hard-coded attacker-owned IP address.\n\nRedmond further pointed out that the cybercrime group focuses on organizations with weaker security controls and a higher likelihood of a ransom payout, underscoring the need to [apply necessary safeguards](<https://www.cisa.gov/stopransomware/stopransomware>) to prevent such attacks.\n\n\"The shift from a ransomware as a service (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities,\" Microsoft said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-26T08:13:00", "type": "thn", "title": "Vice Society Hackers Are Behind Several Ransomware Attacks Against Education Sector", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-10-26T13:13:50", "id": "THN:3D23E7265CBC033DE214A1FFC7A5E648", "href": "https://thehackernews.com/2022/10/vice-society-hackers-are-behind-several.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-02T15:09:47", "description": "[![Cuba Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg8tTIoIM0jQbURH5PDnsmJRHY_lsHAklLsSwnnCy4L7peXJqw9IBIpKPUPJkyvg7_m2_n7uzGNLygUAk9J5Dn1ZMtuO--1mRGpLx-qpO8G7CW-Gwx2PUYYtWv5OuALZiA0xTKhEua4hbOnjAEwvt7sqxbdY3BamBoL-I5UxsUNssvzOcfgQIAVuHC0/s728-e1000/cuba-ransomware.png)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg8tTIoIM0jQbURH5PDnsmJRHY_lsHAklLsSwnnCy4L7peXJqw9IBIpKPUPJkyvg7_m2_n7uzGNLygUAk9J5Dn1ZMtuO--1mRGpLx-qpO8G7CW-Gwx2PUYYtWv5OuALZiA0xTKhEua4hbOnjAEwvt7sqxbdY3BamBoL-I5UxsUNssvzOcfgQIAVuHC0/s728-e100/cuba-ransomware.png>)\n\nThe threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022.\n\nIn a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies [highlighted](<https://www.cisa.gov/uscert/ncas/current-activity/2022/12/01/stopransomware-cuba-ransomware>) a \"sharp increase in both the number of compromised U.S. entities and the ransom amounts.\"\n\nThe ransomware crew, also known as [Tropical Scorpius](<https://thehackernews.com/2022/08/hackers-behind-cuba-ransomware-attacks.html>), has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with breached networks.\n\nIt's worth noting that despite the name \"Cuba,\" there is no evidence to suggest that the actors have any connection or affiliation with the island country.\n\nThe entry point for the attacks involves the exploitation of known security flaws, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, followed by distributing the ransomware via [Hancitor](<https://blogs.blackberry.com/en/2021/07/threat-thursday-hancitor-malware>) (aka Chanitor).\n\nSome of the flaws incorporated by Cuba into its toolset are as follows -\n\n * [**CVE-2022-24521**](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) (CVSS score: 7.8) - An elevation of privilege vulnerability in Windows Common Log File System (CLFS) Driver\n * [**CVE-2020-1472**](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) (CVSS score: 10.0) - An elevation of privilege vulnerability in Netlogon remote protocol (aka ZeroLogon)\n\n\"In addition to deploying ransomware, the actors have used 'double extortion' techniques, in which they exfiltrate victim data, and (1) demand a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not made,\" CISA noted.\n\nCuba is also said to share links with the operators of RomCom RAT and another ransomware family called Industrial Spy, according to recent findings from BlackBerry and Palo Alto Networks Unit 42.\n\nThe RomCom RAT is [distributed](<https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.html>) through trojanized versions of legitimate software such as SolarWinds Network Performance Monitor, KeePass, PDF Reader Pro, Advanced IP Scanner, pdfFiller, and Veeam Backup & Replication that are hosted on counterfeit lookalike websites.\n\nThe advisory from CISA and FBI is the latest in a series of alerts the agencies have issued about different ransomware strains such as [MedusaLocker](<https://www.cisa.gov/uscert/ncas/alerts/aa22-181a>), [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), [Vice Society](<https://thehackernews.com/2022/10/vice-society-hackers-are-behind-several.html>), [Daixin Team](<https://thehackernews.com/2022/10/cisa-warns-of-daixin-team-hackers.html>), and [Hive](<https://thehackernews.com/2022/11/hive-ransomware-attackers-extorted-100.html>).\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-12-02T06:04:00", "type": "thn", "title": "Cuba Ransomware Extorted Over $60 Million in Ransom Fees from More than 100 Entities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2022-24521"], "modified": "2022-12-02T13:20:45", "id": "THN:2AE638B06506778A5F779054ACB99CDC", "href": "https://thehackernews.com/2022/12/cuba-ransomware-extorted-over-60.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-12T04:04:28", "description": "[![Cuba Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjG5NY6z_E3mIqws1GTNFoFKEavt9jBxtciK10htSDSQc_JECqfwKvNTPymBW0axc6McWFzM08_t78ovmJx91jcYFgquWC09fNYVXBMKenTKS08JGIU8VnHvwXEcZdfG0DG9NePAIWwEZN0t1g7Ax2ZaG1fKl6W75RQWiD5ekyGBcApeB74SwA5osWN/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjG5NY6z_E3mIqws1GTNFoFKEavt9jBxtciK10htSDSQc_JECqfwKvNTPymBW0axc6McWFzM08_t78ovmJx91jcYFgquWC09fNYVXBMKenTKS08JGIU8VnHvwXEcZdfG0DG9NePAIWwEZN0t1g7Ax2ZaG1fKl6W75RQWiD5ekyGBcApeB74SwA5osWN/s728-e100/ransomware.jpg>)\n\nThreat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called **ROMCOM RAT** on compromised systems.\n\nThe [new findings](<https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/>) come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the [constellation-themed moniker](<https://unit42.paloaltonetworks.com/unit-42-threat-group-naming-update/>) **Tropical Scorpius**.\n\nCuba ransomware (aka [COLDDRAW](<https://www.mandiant.com/resources/unc2596-cuba-ransomware>)), which was first detected in December 2019, reemerged on the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.\n\nOf the 60 victims listed on its data leak site, 40 are located in the U.S., indicating a not as global distribution of targeted organizations as other ransomware gangs.\n\n\"Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims' networks,\" according to a [December 2021 alert](<https://www.ic3.gov/Media/News/2021/211203-2.pdf>) from the U.S. Federal Bureau of Investigation (FBI).\n\n\"Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim's network.\"\n\nIn the intervening months, the ransomware operation received substantial upgrades with an aim to \"optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate,\" [noted](<https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html>) Trend Micro in June.\n\nChief among the changes encompassed terminating more processes before encryption (viz Microsoft Outlook, Exchange, and MySQL), expanding the file types to be excluded, and revision to its ransom note to offer victim support via quTox.\n\nTropical Scorpius is also believed to share connections with a data extortion marketplace called Industrial Spy, as [reported](<https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/>) by Bleeping Computer in May 2022, with the exfiltrated data following a Cuba ransomware attack posted for sale on the illicit portal instead of its own data leak site.\n\nThe latest updates observed by Unit 42 in May 2022 has to do with the defense evasion tactics employed prior to the deployment of the ransomware to fly under the radar and move laterally across the compromised IT environment.\n\n[![Cuba Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhhaBChjsAYv4PpKZR25UQ3kDpGAHQ3G4qGVnXq8GGelhND5cDH3UxCWOv2uIEGmZtCmEIs7o_BMLcnlIByriCzFi43Pwsd9Ev2--mNQ8ieosDPxK156gZtGWhqJazdEVZXfbI5oJJsalpaeIG4ypHXkpAWog09JIppeF5_pNWu-zVY1niiteyZNblF/s728-e1000/chart.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhhaBChjsAYv4PpKZR25UQ3kDpGAHQ3G4qGVnXq8GGelhND5cDH3UxCWOv2uIEGmZtCmEIs7o_BMLcnlIByriCzFi43Pwsd9Ev2--mNQ8ieosDPxK156gZtGWhqJazdEVZXfbI5oJJsalpaeIG4ypHXkpAWog09JIppeF5_pNWu-zVY1niiteyZNblF/s728-e100/chart.jpg>)\n\n\"Tropical Scorpius leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys,\" the company stated. \"This targets and terminates security products. The dropper was not signed, however, the kernel driver was signed using the certificate found in the [LAPSUS$ NVIDIA leak](<https://thehackernews.com/2022/03/hackers-who-broke-into-nvidias-network.html>).\"\n\nThe main task of the kernel driver is to terminate processes associated with security products so as to bypass detection. Also incorporated in the attack chain is a local privilege escalation tool downloaded from a remote server to gain SYSTEM permissions. \n\nThis, in turn, is achieved by triggering an exploit for CVE-2022-24521 (CVSS score: 7.8), a flaw in the Windows Common Log File System (CLFS) that was [patched](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>) by Microsoft as a zero-day flaw in April 2022.\n\nThe privilege escalation step is followed by carrying out system reconnaissance and lateral movement activities through tools like ADFind and Net Scan, while also using a ZeroLogon utility that exploits [CVE-2020-1472](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) to gain domain administrator rights.\n\nFurthermore, the intrusion paves the way for the deployment of a novel backdoor called ROMCOM RAT, which is equipped to start a reverse shell, delete arbitrary files, upload data to a remote server, and harvest a list of running processes.\n\nThe remote access trojan, per Unit 42, is said to be under active development, as the cybersecurity firm discovered a second sample uploaded to the VirusTotal database on June 20, 2022.\n\nThe improved variant comes with support for a broadened set of 22 commands, counting the ability to download bespoke payloads to capture screenshots as well as extract a list of all installed applications to send back to the remote server.\n\n\"Tropical Scorpius remains an active threat,\" the researchers said. \"The group's activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals for defense evasion and local privilege escalation can be highly effective during an intrusion.\n\nThe findings come as emerging ransomware groups such as [Stormous](<https://cloudsek.com/threatintelligence/stormous-ransomware-group-runs-opinion-polls-leaks-intellectual-property-of-indian-companies/>), [Vice Society](<https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/>), [Luna](<https://thehackernews.com/2022/07/new-rust-based-ransomware-family.html>), [SolidBit](<https://medium.com/s2wblog/two-copycats-of-lockbit-ransomware-solidbit-and-crypton-7257fb069b16>), and BlueSky are continuing to proliferate and evolve in the cybercrime ecosystem, at the same using advanced encryption techniques and delivery mechanisms.\n\n[![SolidBit Ransomware Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiMII7rTuz0-pkhQiKNG-tXibaA5dvIeKqjHYEPmsFQDciFG1K40Epz9E4XdSX3mAC1dqyP9wQ42bMnK9kJH0rHe6pPSfG8Z8s1Mwag8HuLMmwh7PcMF3j-sjdl-Xa4TSgUKn872EWArqVk5pQMtn_v7uFF-vdZMXYjcI4YrXgMtKGOEk66z1WFW8mS/s728-e1000/ransomware-malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiMII7rTuz0-pkhQiKNG-tXibaA5dvIeKqjHYEPmsFQDciFG1K40Epz9E4XdSX3mAC1dqyP9wQ42bMnK9kJH0rHe6pPSfG8Z8s1Mwag8HuLMmwh7PcMF3j-sjdl-Xa4TSgUKn872EWArqVk5pQMtn_v7uFF-vdZMXYjcI4YrXgMtKGOEk66z1WFW8mS/s728-e100/ransomware-malware.jpg>)\n\nSolidBit particularly stands out for its targeting of users of popular video games and social media platforms by masquerading as different applications like League of Legends account checker, Social Hacker, and Instagram Follower Bot, allowing the actors to cast a wide net of potential victims.\n\n\"SolidBit ransomware is compiled using .NET and is actually a variant of [Yashma](<https://thehackernews.com/2022/05/new-chaos-ransomware-builder-variant.html>) ransomware, also known as Chaos,\" Trend Micro [disclosed](<https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html>) in a write-up last week.\n\n\"It's possible that SolidBit's ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, later rebranding it as SolidBit.\"\n\nBlueSky, for its part, is known to utilize multithreading to encrypt files on the host for faster encryption, not to mention adopt anti-analysis techniques to obfuscate its appearance.\n\nThe ransomware payload, which kicks off with the execution of a PowerShell script retrieved from an attacker-controlled server, also disguises itself as a legitimate Windows application (\"javaw.exe\").\n\n\"Ransomware authors are adopting modern advanced techniques such as encoding and encrypting malicious samples, or using multi-staged ransomware delivery and loading, to evade security defenses,\" Unit 42 [noted](<https://unit42.paloaltonetworks.com/bluesky-ransomware/>).\n\n\"BlueSky ransomware is capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-11T10:21:00", "type": "thn", "title": "Hackers Behind Cuba Ransomware Attacks Using New RAT Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2022-24521"], "modified": "2022-08-12T02:23:42", "id": "THN:D7DBE5ECBAF3E906ECA544B7E150594A", "href": "https://thehackernews.com/2022/08/hackers-behind-cuba-ransomware-attacks.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-13T04:17:38", "description": "[![Microsoft Patch Tuesday](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV2jd3p9rwaZ2Vkd1R9kGPG7lmNFaBXn5xXe_oVH3HCThw2Tp9OTm5905K260MP0fh1NXPOEmaJCefDqa2IVqjH4qcR79WpY4eDLSzajVPF3Y2JyTvbMinBxpLXMJidmBsSUMHIfpdv-jqKT_DiGxbhQ-1iKr44M1hoVGmup2qrkM8CtL7JD0feAkA/s728-e365/windows-update.jpg>)\n\nIt's the second Tuesday of the month, and Microsoft has released another set of security updates to fix [a total of 97 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr>) impacting its software, one of which has been actively exploited in ransomware attacks in the wild.\n\nSeven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.\n\nThe security flaw that's come under active exploitation is [CVE-2023-28252](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252>) (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.\n\n\"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,\" Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.\n\nCVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after [CVE-2022-24521](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>), [CVE-2022-37969](<https://thehackernews.com/2022/10/researchers-reveal-detail-for-windows.html>), and [CVE-2023-23376](<https://thehackernews.com/2023/02/update-now-microsoft-releases-patches.html>) (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.\n\nAccording to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy [Nokoyawa ransomware](<https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html>) against small and medium-sized businesses in the Middle East, North America, and Asia.\n\n\"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block,\" Larin [said](<https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/>). \"The vulnerability gets triggered by the manipulation of the base log file.\"\n\nIn light of ongoing exploitation of the flaw, CISA has [added](<https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog>) the Windows zero-day to its catalog of Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.\n\n[![Active Ransomware Exploit](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhsQEC6Cuj423YEDVoote6nXwNX5IY9salePYojS0x-ku1JqHYeSBIOWDTJjP0hOXSSh90WvMgVnBSFNRppM9NoZIhO-7IyNUmz3MeL38Y_dVjGA55M112NouTev0xhpze9ofiVsIq80pmiJy63-3WgXDOMsXH7M4v4UQEHVS1PWGj8pD0CeTWiP6jP/s728-e365/windows-ransomware.png>)\n\nAlso patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing ([MSMQ](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms703216\$v=vs.85\$>)).\n\nThe MSMQ bug, tracked as [CVE-2023-21554](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554>) (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.\n\n\"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801,\" Check Point researcher Haifei Li [said](<https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/>). \"In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability.\"\n\nTwo other flaws discovered in MSMQ, [CVE-2023-21769](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21769>) and [CVE-2023-28302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28302>) (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death ([BSoD](<https://en.wikipedia.org/wiki/Blue_screen_of_death>)).\n\nMicrosoft has also updated its advisory for [CVE-2013-3900](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900>), a 10-year-old WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -\n\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for x65-based Systems Service Pack 2\n * Windows Server 2008 R2 for x64-based Systems Service 1\n * Windows Server 2012\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019, and\n * Windows Server 2022\n\nThe development comes as North Korea-linked threat actors have been observed [leveraging the flaw](<https://thehackernews.com/2023/04/cryptocurrency-companies-targeted-in.html>) to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.\n\n## Microsoft Issues Guidance for BlackLotus Bootkit Attacks\n\nIn tandem with the update, the tech giant also issued guidance for [CVE-2022-21894](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21894>) (aka Baton Drop), a now-fixed Secure Boot bypass flaw that has been exploited by threat actors using a nascent Unified Extensible Firmware Interface (UEFI) bootkit called [BlackLotus](<https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html>) to establish persistence on a host.\n\nSome indicators of compromise (IoCs) include recently created and locked bootloader files in the EFI system partition ([ESP](<https://en.wikipedia.org/wiki/EFI_system_partition>)), event logs associated with the stoppage of Microsoft Defender Antivirus, presence of the staging directory ESP:/system32/, and modifications to the [registry key](<https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement>) HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity.\n\n\"UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms,\" the Microsoft Incident Response team [said](<https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/>).\n\nMicrosoft has further recommended that organizations remove compromised devices from the network and examine them for evidence of follow-on activity, reformat or restore the machines from a known clean backup that includes the EFI partition, maintain credential hygiene, and enforce the principle of least privilege ([PoLP](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>)).\n\n## Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/docs/security/bulletin/2023-04-01>)\n * [Apache Projects](<https://projects.apache.org/releases.html>)\n * [Apple](<https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html>)\n * [Arm](<https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities>)\n * [Aruba Networks](<https://www.arubanetworks.com/support-services/security-bulletins/>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Drupal](<https://www.drupal.org/security>)\n * [F5](<https://support.f5.com/csp/new-updated-articles>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=04-2023>)\n * [GitLab](<https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/support/pages/bulletin/>)\n * [Jenkins](<https://www.jenkins.io/security/advisories/>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/April-2023>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [NETGEAR](<https://www.netgear.com/about/security/>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Palo Alto Networks](<https://thehackernews.com/2023/04/rorschach-ransomware-emerges-experts.html>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2023-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [Samsung](<https://security.samsungmobile.com/securityUpdate.smsb>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [SonicWall](<https://www.sonicwall.com/support/product-notifications/>), and\n * [Sophos](<https://www.sophos.com/en-us/security-advisories>)\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-12T06:38:00", "type": "thn", "title": "Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3900", "CVE-2022-21894", "CVE-2022-24521", "CVE-2022-37969", "CVE-2023-21554", "CVE-2023-21769", "CVE-2023-23376", "CVE-2023-28252", "CVE-2023-28302"], "modified": "2023-04-13T03:49:47", "id": "THN:AE23BB3E760EC8C77F34E3E6E28A6FE2", "href": "https://thehackernews.com/2023/04/urgent-microsoft-issues-patches-for-97.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[![Windows Update](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbZwO6vnWge-kB0sbo0SgRtCUuTnNCYuc3xeMOyHAyjxQuihLyYRfJUPPNnr9Hdgc6BFVncdVwHE2gIRh9I0SI81pValTrymqbOyAXfBo-FmM1Fwi8nQX6E1Djh0A8ozTup2--3iCklRk1LE5r01IA9Jp0rkAwlGLx5wQY7JvMVnb9DA0493CuD7fG/s728-e1000/windows-patch-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbZwO6vnWge-kB0sbo0SgRtCUuTnNCYuc3xeMOyHAyjxQuihLyYRfJUPPNnr9Hdgc6BFVncdVwHE2gIRh9I0SI81pValTrymqbOyAXfBo-FmM1Fwi8nQX6E1Djh0A8ozTup2--3iCklRk1LE5r01IA9Jp0rkAwlGLx5wQY7JvMVnb9DA0493CuD7fG/s728-e100/windows-patch-update.jpg>)\n\nMicrosoft's Patch Tuesday updates for the month of April have addressed a [total of 128 security vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>) spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.\n\n10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release.\n\nThe updates are in addition to [26 other flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) resolved by Microsoft in its Chromium-based Edge browser since the start of the month.\n\nThe actively exploited flaw ([CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>), CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine.\n\nThe second publicly-known zero-day flaw ([CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>), CVSS score: 7.0) also concerns a case of privilege escalation in the Windows User Profile Service, successful exploitation of which \"requires an attacker to win a race condition.\"\n\nOther critical flaws to note include a number of remote code execution flaws in RPC Runtime Library ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>), CVSS score: 9.8), Windows Network File System ([CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>), CVSS scores: 9.8), Windows Server Service ([CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>)), Windows SMB ([CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>)), and Microsoft Dynamics 365 ([CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>)).\n\nMicrosoft also patched as many as 18 flaws in Windows DNS Server, one information disclosure flaw and 17 remote code execution flaws, all of which were reported by security researcher Yuki Chen. Also remediated are 15 privilege escalation flaws in the Windows Print Spooler component.\n\nThe patches arrive a week after the tech giant announced plans to make available a feature called [AutoPatch](<https://thehackernews.com/2022/04/microsofts-new-autopatch-feature-to.html>) in July 2022 that allows enterprises to expedite applying security fixes in a timely fashion while emphasizing on scalability and stability.\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-04-01>)\n * [Apache Struts 2](<https://cwiki.apache.org/confluence/display/WW/S2-062>)\n * [Cisco Systems](<https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html>)\n * [HP Teradici PCoIP Client](<https://support.hp.com/us-en/security-bulletins>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-April/thread.html>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T03:22:00", "type": "thn", "title": "Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23259", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26904"], "modified": "2022-04-13T03:22:09", "id": "THN:2A188AB3A1960F89715831B15A68311E", "href": "https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2022-09-13T22:03:34", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuO39qViCMNUgBL52lm6Fv2cO1TtchRuF5B5XrgdX8JNq21qnSgOoDKRj_Jw5YErgTODjyjUG_toBkvjBULrU-KqeAP39DYFZpdH-3cjSLiSIfqjtKpaCs8PGtoFT-BYkUrHb8-dagNtPzxKDhHijqCJEe1RhClOI0-B6axkA8WsLDMrmMM7In_4Ud/s16000/patch%20tuesday.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuO39qViCMNUgBL52lm6Fv2cO1TtchRuF5B5XrgdX8JNq21qnSgOoDKRj_Jw5YErgTODjyjUG_toBkvjBULrU-KqeAP39DYFZpdH-3cjSLiSIfqjtKpaCs8PGtoFT-BYkUrHb8-dagNtPzxKDhHijqCJEe1RhClOI0-B6axkA8WsLDMrmMM7In_4Ud/s1001/patch%20tuesday.jpg>)\n\n_By Jon Munshaw and Asheer Malhotra. _\n\nMicrosoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company\u2019s hardware and software line, a sharp decline from the [record number of issues](<https://blog.talosintelligence.com/2022/08/microsoft-patch-tuesday-for-august-2022.html>) Microsoft disclosed last month. \n\nSeptember's security update features five critical vulnerabilities, 10 fewer than were included in last month\u2019s Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that\u2019s already been patched as a part of a recent Google Chromium update. The remainder is considered \u201cimportant.\u201d \n\nThe most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. [CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered \u201cmore likely\u201d to be exploited by Microsoft. \n\nMicrosoft disclosed one vulnerability that's being actively exploited in the wild \u2014 [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>). Microsoft's advisory states this vulnerability is already circulating in the wild and could allow an attacker to gain SYSTEM-level privileges by exploiting the Windows Common Log File System Driver. The adversary must first have the access to the targeted system and then run specific code, though no user interaction is required. \n\n\n \n\n\n[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) and [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) also have severity scores of 9.8, though they are \u201cless likely\u201d to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.\n\nTwo other critical vulnerabilities, [CVE-2022-35805](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35805>) and [CVE-2022-34700](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34700>) exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner. \n\nTalos would also like to highlight five important vulnerabilities that Microsoft considers to be \u201cmore likely\u201d to be exploited: \n\n * [CVE-2022-37957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37957>) \u2014 Windows Kernel Elevation of Privilege Vulnerability \n * [CVE-2022-35803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35803>) \u2014 Windows Common Log File System Driver Elevation of Privilege Vulnerability \n * [CVE-2022-37954](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37954>) \u2014 DirectX Graphics Kernel Elevation of Privilege Vulnerability \n * [CVE-2022-34725](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34725>) \u2014 Windows ALPC Elevation of Privilege Vulnerability \n * [CVE-2022-34729](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34729>) \u2014 Windows GDI Elevation of Privilege Vulnerability \n\nA complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. \n\nIn response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. \n\nThe rules included in this release that protect against the exploitation of many of these vulnerabilities are 60546, 60547, 60549, 60550 and 60552 - 60554. We've also released Snort 3 rules 300266 - 300270.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T18:01:00", "type": "talosblog", "title": "Microsoft Patch Tuesday for September 2022 \u2014 Snort rules and prominent vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-34700", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34725", "CVE-2022-34729", "CVE-2022-35803", "CVE-2022-35805", "CVE-2022-37954", "CVE-2022-37957", "CVE-2022-37969"], "modified": "2022-09-13T18:24:22", "id": "TALOSBLOG:E99AAC7F44B9D1EA471CB0F2A592FA92", "href": "http://blog.talosintelligence.com/2022/09/microsoft-patch-tuesday-for-september.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-09T19:58:11", "description": "![Threat Source newsletter \$April 13, 2023\$ \u2014 Dark web forum whac-a-mole](https://blog.talosintelligence.com/content/images/2023/04/threat-source-newsletter-1.jpg)\n\nWelcome to this week's edition of the Threat Source newsletter.\n\nLaw enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.\n\nOn March 23, the FBI announced it [disrupted the online cybercriminal marketplace BreachForums](<https://www.justice.gov/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption>), known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site's founder and main administrator.\n\nThen last week we had ["Operation Cookie Monster"](<https://arstechnica.com/tech-policy/2023/04/operation-cookie-monster-feds-seize-notorious-hacker-marketplace/>) in which several international agencies worked together [to take down Genesis Market](<https://www.reuters.com/world/uk/operation-cookie-monster-international-police-action-seizes-dark-web-market-2023-04-05/>), a similar dark web forum, arresting dozens of suspected users and administrators.\n\nThese arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.'s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.\n\nBut the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.\n\nSo while it's great that these sites have been disrupted, I can't help but assume that two more sites are going to pop up to service these cyber criminals. It's impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.\n\nSome of the same agencies celebrated in March 2021 that they[ disrupted Emotet](<https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation>), one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn't actually go anywhere and was recently rebooted as recently as last month, [according to our research](<https://blog.talosintelligence.com/emotet-switches-to-onenote/>).\n\nRaidForums, a forefather of BreachForums, was [also disrupted in April 2022](<http://techtarget.com/searchsecurity/news/252515896/Law-enforcement-takedowns-continue-with-RaidForums-seizure>), along with the arrest of several administrators and accomplices.\n\nAll of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it's important to remember that we as a security community can't take our foot off the gas and assume that because there were a few big wins that [dark web forums are just going to go away forever](<https://talostakes.talosintelligence.com/2018149/11127920>).\n\n## The one big thing\n\n[Microsoft's Patch Tuesday](<https://blog.talosintelligence.com/microsoft-patch-tuesday-for-april-2023/>) for April included another zero-day vulnerability in the Windows Common Log File System Driver. [CVE-2023-28252](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252>), which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.\n\n### Why do I care?\n\nSecurity researchers say that the vulnerability has already been [exploited in Nokoyawa ransomware attacks](<https://www.bleepingcomputer.com/news/security/windows-zero-day-vulnerability-exploited-in-ransomware-attacks/>), so it's important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets' files and then threaten to leak them unless the ransom is paid.\n\n### So now what?\n\nMicrosoft has a patch available, so all Windows users should update now if they haven't already. Talos also has [new Snort detection coverage available](<https://snort.org/advisories/talos-rules-2023-04-11>) for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.\n\n## Top security headlines of the week\n\n**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia's invasion of Ukraine and China's military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. ([Bellingcat](<https://www.bellingcat.com/news/2023/04/09/from-discord-to-4chan-the-improbable-journey-of-a-us-defence-leak/>), [New York Times](<https://www.nytimes.com/2023/04/07/us/politics/classified-documents-leak.html>))\n\n**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. ([SC Media](<https://www.scmagazine.com/news/device-security/apple-patches-two-new-zero-days-targeting-iphones-ipads-macs>), [Security Week](<http://securityweek.com/apple-rolls-out-zero-day-patches-to-older-ios-macos-devices/>))\n\n**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to "introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI's Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. ([Axios](<https://www.axios.com/2023/04/10/fbi-warning-charging-stations-juice-jacking>), [NBC News](<https://www.nbcnews.com/business/consumer/fbi-warns-using-public-phone-charging-stations-rcna78998>))\n\n## Can't get enough Talos?\n\n * [How threat actors are using AI and other modern tools to enhance their phishing attempts](<https://blog.talosintelligence.com/ai-and-other-modern-tools-enhance-phishing/>)\n * [How do you hunt cybersecurity threats in a war zone? Like this](<https://www.theregister.com/2023/04/07/talos_threat_hunting_ukraine/>)\n * [Cisco unveils latest security trends from Cisco Talos report at GISEC 2023](<https://www.intelligentcio.com/me/2023/03/14/cisco-unveils-latest-security-trends-from-cisco-talos-report-at-gisec-2023/>)\n * [Researcher Spotlight: Giannis Tziakouris first learned how to fix his family's PC, and now he's fixing networks all over the globe](<https://blog.talosintelligence.com/researcher-spotlight-giannis-tziakouris/>)\n\n## Upcoming events where you can find Talos\n\n**[RSA](<https://www.rsaconference.com/usa>) (April 24 - 27)**\n\nSan Francisco, CA\n\n**[Cisco Talos Incident Response: On Air](<https://www.linkedin.com/events/7049146334452355072/about/>) (April 27)**\n\nVirtual\n\n**[Cisco Live U.S.](<https://www.ciscolive.com/global.html?zid=pp>) (June 4 - 8)**\n\nLas Vegas, NV\n\n## Most prevalent malware files from Talos telemetry over the past week\n\n \n**SHA 256:** [9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details>) \n**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f \n**Typical Filename:** VID001.exe \n**Claimed Product:** N/A \n**Detection Name:** Win.Worm.Coinminer::1201\n\n**SHA 256:** [e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6](<https://www.virustotal.com/gui/file/e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6/details>) \n**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c \n**Typical Filename:** PDFpower.exe \n**Claimed Product:** PdfPower \n**Detection Name:** Win32.Adware.Generic.SSO.TALOS\n\n**SHA 256:** [f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f](<https://www.virustotal.com/gui/file/f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f/details>) \n**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a \n**Typical Filename:** KMSAuto.exe \n**Claimed Product:** N/A \n**Detection Name:** W32.File.MalParent\n\n**SHA 256:** [e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>) \n**MD5:** 93fefc3e88ffb78abb36365fa5cf857c \n**Typical Filename:** Wextract \n**Claimed Product:** Internet Explorer \n**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg\n\n**SHA 256:** [00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725](<https://www.virustotal.com/gui/file/00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725/details>) \n**MD5:** d47fa115154927113b05bd3c8a308201 \n**Typical Filename:** mssqlsrv.exe \n**Claimed Product:** N/A \n**Detection Name:** Trojan.GenericKD.65065311", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-13T18:00:40", "type": "talosblog", "title": "Threat Source newsletter (April 13, 2023) \u2014 Dark web forum whac-a-mole", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-37969", "CVE-2023-28205", "CVE-2023-28206", "CVE-2023-28252"], "modified": "2023-04-13T18:00:40", "id": "TALOSBLOG:0590B57B0EE82F183D901AD4C42EB516", "href": "https://blog.talosintelligence.com/threat-source-newsletter-april-13-2023/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-07T18:41:40", "description": "![Microsoft Patch Tuesday for April 2023 \u2014 Snort rules and prominent vulnerabilities](https://blog.talosintelligence.com/content/images/2023/04/patch-tuesday.png)\n\nMicrosoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.\n\nApril's security update includes one vulnerability that's actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered "important."\n\n[CVE-2023-28252](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252>), an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency already[ added the vulnerability](<https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog>) to its list of know exploited issues and urged federal agencies to patch it as soon as possible. \n\nMicrosoft [disclosed a similar zero-day issue](<https://blog.talosintelligence.com/microsoft-patch-tuesday-for-september-2022-snort-rules-and-prominent-vulnerabilities/>) in September that could also lead to the same privileges: [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969>). April is the [third month in a row](<https://blog.talosintelligence.com/microsoft-patch-tuesday-for-march-2023-snort-rules-and-prominent-vulnerabilities/>) in which [at least one](<https://blog.talosintelligence.com/microsoft-patch-tuesday-for-february-2023-snort-rules-and-prominent-vulnerabilities/>) of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.\n\nTwo of the critical vulnerabilities Microsoft also patched are in the Layer 2 Tunneling Protocol: [CVE-2023-28219](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28219>) and [CVE-2023-28220](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28220>). An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine. These vulnerabilities do not require any user interaction to be exploited, but the adversary would need to win a race condition to be successful.\n\nOne of the most severe issues is [CVE-2023-21554](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21554>), a remote code execution vulnerability in the Microsoft Message queuing system. Microsoft considers exploitation of this vulnerability to be "more likely," and it received a CVSS severity score of 9.8 out of 10. Users who want to check to see if they're being targeted by the exploitation of this vulnerability can run a check to see if there's a service named "Message Queuing" on their machine, and if TCP port 1801 is listening on the machine.\n\n[CVE-2023-28231](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28231>), a remote code execution vulnerability on the DHCP server service, is also considered "more likely" to be exploited. An attacker could exploit this vulnerability by sending a specially crafted RCP call to the targeted DHCP server. However, the adversary first must gain access to the restricted network.\n\nThere are four other critical vulnerabilities, though Microsoft considers them "less likely" to be exploited:\n\n * [CVE-2023-28232](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28232>): Windows Point-to-Point Tunneling Protocol remote code execution vulnerability\n * [CVE-2023-28240](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28240>): Windows Network Load Balancing remote code execution vulnerability \n[CVE-2023-28250:](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28250>) Windows Pragmatic General Multicast (PGM) remote code execution vulnerability\n * [CVE-2023-28291](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28291>): Raw Image Extension remote code execution vulnerability\n\nA complete list of all the vulnerabilities Microsoft disclosed this month is available on its [update page](<https://portal.msrc.microsoft.com/en-us/security-guidance>).\n\nIn response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.\n\nThe rules included in this release that protect against the exploitation of many of these vulnerabilities are 61606, 61607 and 61613 - 61620. There are also Snort 3 rules 300496, 300499 and 300500.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-11T19:28:27", "type": "talosblog", "title": "Microsoft Patch Tuesday for April 2023 \u2014 Snort rules and prominent vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-37969", "CVE-2023-21554", "CVE-2023-28219", "CVE-2023-28220", "CVE-2023-28231", "CVE-2023-28232", "CVE-2023-28240", "CVE-2023-28250", "CVE-2023-28252", "CVE-2023-28291"], "modified": "2023-04-11T19:28:27", "id": "TALOSBLOG:9C326FEF8807002127104C1D548553C7", "href": "https://blog.talosintelligence.com/microsoft-patch-tuesday-for-april-2023/", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-06-03T15:04:12", "description": "### *Detect date*:\n09/13/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Dynamics. Malicious users can exploit these vulnerabilities to execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Dynamics CRM (on-premises) 9.0 \nMicrosoft Dynamics CRM (on-premises) 9.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-34700](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34700>) \n[CVE-2022-35805](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35805>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Dynamics AX](<https://threats.kaspersky.com/en/product/Microsoft-Dynamics-AX/>)\n\n### *CVE-IDS*:\n[CVE-2022-34700](<https://vulners.com/cve/CVE-2022-34700>)5.0Critical \n[CVE-2022-35805](<https://vulners.com/cve/CVE-2022-35805>)5.0Critical\n\n### *KB list*:\n[5017524](<http://support.microsoft.com/kb/5017524>) \n[5017226](<http://support.microsoft.com/kb/5017226>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "kaspersky", "title": "KLA19247 Multiple vulnerabilities in Microsoft Dynamics", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34700", "CVE-2022-35805"], "modified": "2022-09-15T00:00:00", "id": "KLA19247", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19247/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:04:11", "description": "### *Detect date*:\n09/13/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35840>) \n[CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) \n[CVE-2022-34727](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34727>) \n[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) \n[CVE-2022-30170](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30170>) \n[CVE-2022-34724](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34724>) \n[CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>) \n[CVE-2022-34732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34732>) \n[CVE-2022-35830](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35830>) \n[CVE-2022-34726](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34726>) \n[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) \n[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) \n[CVE-2022-37955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37955>) \n[CVE-2022-34731](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34731>) \n[CVE-2022-35803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35803>) \n[CVE-2022-30200](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30200>) \n[CVE-2022-34730](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34730>) \n[CVE-2022-34729](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34729>) \n[CVE-2022-38006](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38006>) \n[CVE-2022-38005](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38005>) \n[CVE-2022-37964](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37964>) \n[CVE-2022-37956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37956>) \n[CVE-2022-34733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34733>) \n[CVE-2022-35836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35836>) \n[CVE-2022-35833](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35833>) \n[CVE-2022-35832](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35832>) \n[CVE-2022-37958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958>) \n[CVE-2022-35835](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35835>) \n[CVE-2022-33679](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>) \n[CVE-2022-34734](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34734>) \n[CVE-2022-34728](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34728>) \n[CVE-2022-34720](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34720>) \n[CVE-2022-34719](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34719>) \n[CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) \n[CVE-2022-35837](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35837>) \n[CVE-2022-35834](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35834>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-35840](<https://vulners.com/cve/CVE-2022-35840>)5.0Critical \n[CVE-2022-38004](<https://vulners.com/cve/CVE-2022-38004>)5.0Critical \n[CVE-2022-34727](<https://vulners.com/cve/CVE-2022-34727>)5.0Critical \n[CVE-2022-37969](<https://vulners.com/cve/CVE-2022-37969>)5.0Critical \n[CVE-2022-30170](<https://vulners.com/cve/CVE-2022-30170>)5.0Critical \n[CVE-2022-34724](<https://vulners.com/cve/CVE-2022-34724>)5.0Critical \n[CVE-2022-33647](<https://vulners.com/cve/CVE-2022-33647>)5.0Critical \n[CVE-2022-34732](<https://vulners.com/cve/CVE-2022-34732>)5.0Critical \n[CVE-2022-35830](<https://vulners.com/cve/CVE-2022-35830>)5.0Critical \n[CVE-2022-34726](<https://vulners.com/cve/CVE-2022-34726>)5.0Critical \n[CVE-2022-34718](<https://vulners.com/cve/CVE-2022-34718>)5.0Critical \n[CVE-2022-34721](<https://vulners.com/cve/CVE-2022-34721>)5.0Critical \n[CVE-2022-37955](<https://vulners.com/cve/CVE-2022-37955>)5.0Critical \n[CVE-2022-34731](<https://vulners.com/cve/CVE-2022-34731>)5.0Critical \n[CVE-2022-35803](<https://vulners.com/cve/CVE-2022-35803>)5.0Critical \n[CVE-2022-30200](<https://vulners.com/cve/CVE-2022-30200>)5.0Critical \n[CVE-2022-34730](<https://vulners.com/cve/CVE-2022-34730>)5.0Critical \n[CVE-2022-34729](<https://vulners.com/cve/CVE-2022-34729>)5.0Critical \n[CVE-2022-38006](<https://vulners.com/cve/CVE-2022-38006>)5.0Critical \n[CVE-2022-38005](<https://vulners.com/cve/CVE-2022-38005>)5.0Critical \n[CVE-2022-37956](<https://vulners.com/cve/CVE-2022-37956>)5.0Critical \n[CVE-2022-34733](<https://vulners.com/cve/CVE-2022-34733>)5.0Critical \n[CVE-2022-35836](<https://vulners.com/cve/CVE-2022-35836>)5.0Critical \n[CVE-2022-35833](<https://vulners.com/cve/CVE-2022-35833>)5.0Critical \n[CVE-2022-35832](<https://vulners.com/cve/CVE-2022-35832>)5.0Critical \n[CVE-2022-37958](<https://vulners.com/cve/CVE-2022-37958>)5.0Critical \n[CVE-2022-35835](<https://vulners.com/cve/CVE-2022-35835>)5.0Critical \n[CVE-2022-33679](<https://vulners.com/cve/CVE-2022-33679>)5.0Critical \n[CVE-2022-34734](<https://vulners.com/cve/CVE-2022-34734>)5.0Critical \n[CVE-2022-34728](<https://vulners.com/cve/CVE-2022-34728>)5.0Critical \n[CVE-2022-34720](<https://vulners.com/cve/CVE-2022-34720>)5.0Critical \n[CVE-2022-34719](<https://vulners.com/cve/CVE-2022-34719>)5.0Critical \n[CVE-2022-34722](<https://vulners.com/cve/CVE-2022-34722>)5.0Critical \n[CVE-2022-35837](<https://vulners.com/cve/CVE-2022-35837>)5.0Critical \n[CVE-2022-35834](<https://vulners.com/cve/CVE-2022-35834>)5.0Critical \n[CVE-2022-37964](<https://vulners.com/cve/CVE-2022-37964>)5.0Critical\n\n### *KB list*:\n[5017361](<http://support.microsoft.com/kb/5017361>) \n[5017373](<http://support.microsoft.com/kb/5017373>) \n[5017371](<http://support.microsoft.com/kb/5017371>) \n[5017358](<http://support.microsoft.com/kb/5017358>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "kaspersky", "title": "KLA19249 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-04-28T00:00:00", "id": "KLA19249", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19249/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T15:10:56", "description": "### *Detect date*:\n09/13/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, cause denial of service, obtain sensitive information, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2016 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2012 \nWindows Server 2019 (Server Core installation) \nRaw Image Extension \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2022 Azure Edition Core Hotpatch \nWindows 11 for ARM64-based Systems \nWindows Server 2022 \nAV1 Video Extension \nWindows Server 2012 R2 (Server Core installation) \nWindows RT 8.1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 21H2 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2019 \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 8.1 for x64-based systems \nWindows Server 2016 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35840>) \n[CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) \n[CVE-2022-34727](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34727>) \n[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) \n[CVE-2022-30170](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30170>) \n[CVE-2022-34724](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34724>) \n[CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>) \n[CVE-2022-34732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34732>) \n[CVE-2022-35830](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35830>) \n[CVE-2022-34726](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34726>) \n[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) \n[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>) \n[CVE-2022-37957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37957>) \n[CVE-2022-37955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37955>) \n[CVE-2022-34731](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34731>) \n[CVE-2022-35803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35803>) \n[CVE-2022-30200](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30200>) \n[CVE-2022-34730](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34730>) \n[CVE-2022-34729](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34729>) \n[CVE-2022-38006](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38006>) \n[CVE-2022-38005](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38005>) \n[CVE-2022-35831](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35831>) \n[CVE-2022-34723](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34723>) \n[CVE-2022-37959](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37959>) \n[CVE-2022-34725](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34725>) \n[CVE-2022-38011](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38011>) \n[CVE-2022-37956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37956>) \n[CVE-2022-34733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34733>) \n[CVE-2022-35836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35836>) \n[CVE-2022-35833](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35833>) \n[CVE-2022-35832](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35832>) \n[CVE-2022-37958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37958>) \n[CVE-2022-35835](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35835>) \n[CVE-2022-33679](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>) \n[CVE-2022-26928](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26928>) \n[CVE-2022-37954](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37954>) \n[CVE-2022-34734](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34734>) \n[CVE-2022-34728](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34728>) \n[CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>) \n[CVE-2022-35841](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35841>) \n[CVE-2022-34720](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34720>) \n[CVE-2022-34719](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34719>) \n[CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) \n[CVE-2022-35837](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35837>) \n[CVE-2022-38019](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38019>) \n[CVE-2022-30196](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30196>) \n[CVE-2022-35838](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35838>) \n[CVE-2022-35834](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35834>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-35840](<https://vulners.com/cve/CVE-2022-35840>)5.0Critical \n[CVE-2022-38004](<https://vulners.com/cve/CVE-2022-38004>)5.0Critical \n[CVE-2022-34727](<https://vulners.com/cve/CVE-2022-34727>)5.0Critical \n[CVE-2022-37969](<https://vulners.com/cve/CVE-2022-37969>)5.0Critical \n[CVE-2022-30170](<https://vulners.com/cve/CVE-2022-30170>)5.0Critical \n[CVE-2022-34724](<https://vulners.com/cve/CVE-2022-34724>)5.0Critical \n[CVE-2022-33647](<https://vulners.com/cve/CVE-2022-33647>)5.0Critical \n[CVE-2022-34732](<https://vulners.com/cve/CVE-2022-34732>)5.0Critical \n[CVE-2022-35830](<https://vulners.com/cve/CVE-2022-35830>)5.0Critical \n[CVE-2022-34726](<https://vulners.com/cve/CVE-2022-34726>)5.0Critical \n[CVE-2022-34718](<https://vulners.com/cve/CVE-2022-34718>)5.0Critical \n[CVE-2022-34721](<https://vulners.com/cve/CVE-2022-34721>)5.0Critical \n[CVE-2022-37957](<https://vulners.com/cve/CVE-2022-37957>)5.0Critical \n[CVE-2022-37955](<https://vulners.com/cve/CVE-2022-37955>)5.0Critical \n[CVE-2022-34731](<https://vulners.com/cve/CVE-2022-34731>)5.0Critical \n[CVE-2022-35803](<https://vulners.com/cve/CVE-2022-35803>)5.0Critical \n[CVE-2022-30200](<https://vulners.com/cve/CVE-2022-30200>)5.0Critical \n[CVE-2022-34730](<https://vulners.com/cve/CVE-2022-34730>)5.0Critical \n[CVE-2022-34729](<https://vulners.com/cve/CVE-2022-34729>)5.0Critical \n[CVE-2022-38006](<https://vulners.com/cve/CVE-2022-38006>)5.0Critical \n[CVE-2022-38005](<https://vulners.com/cve/CVE-2022-38005>)5.0Critical \n[CVE-2022-35831](<https://vulners.com/cve/CVE-2022-35831>)5.0Critical \n[CVE-2022-34723](<https://vulners.com/cve/CVE-2022-34723>)5.0Critical \n[CVE-2022-37959](<https://vulners.com/cve/CVE-2022-37959>)5.0Critical \n[CVE-2022-34725](<https://vulners.com/cve/CVE-2022-34725>)5.0Critical \n[CVE-2022-38011](<https://vulners.com/cve/CVE-2022-38011>)5.0Critical \n[CVE-2022-37956](<https://vulners.com/cve/CVE-2022-37956>)5.0Critical \n[CVE-2022-34733](<https://vulners.com/cve/CVE-2022-34733>)5.0Critical \n[CVE-2022-35836](<https://vulners.com/cve/CVE-2022-35836>)5.0Critical \n[CVE-2022-35833](<https://vulners.com/cve/CVE-2022-35833>)5.0Critical \n[CVE-2022-35832](<https://vulners.com/cve/CVE-2022-35832>)5.0Critical \n[CVE-2022-37958](<https://vulners.com/cve/CVE-2022-37958>)5.0Critical \n[CVE-2022-35835](<https://vulners.com/cve/CVE-2022-35835>)5.0Critical \n[CVE-2022-33679](<https://vulners.com/cve/CVE-2022-33679>)5.0Critical \n[CVE-2022-26928](<https://vulners.com/cve/CVE-2022-26928>)5.0Critical \n[CVE-2022-37954](<https://vulners.com/cve/CVE-2022-37954>)5.0Critical \n[CVE-2022-34734](<https://vulners.com/cve/CVE-2022-34734>)5.0Critical \n[CVE-2022-34728](<https://vulners.com/cve/CVE-2022-34728>)5.0Critical \n[CVE-2022-23960](<https://vulners.com/cve/CVE-2022-23960>)1.9Warning \n[CVE-2022-35841](<https://vulners.com/cve/CVE-2022-35841>)5.0Critical \n[CVE-2022-34720](<https://vulners.com/cve/CVE-2022-34720>)5.0Critical \n[CVE-2022-34719](<https://vulners.com/cve/CVE-2022-34719>)5.0Critical \n[CVE-2022-34722](<https://vulners.com/cve/CVE-2022-34722>)5.0Critical \n[CVE-2022-35837](<https://vulners.com/cve/CVE-2022-35837>)5.0Critical \n[CVE-2022-38019](<https://vulners.com/cve/CVE-2022-38019>)5.0Critical \n[CVE-2022-30196](<https://vulners.com/cve/CVE-2022-30196>)5.0Critical \n[CVE-2022-35838](<https://vulners.com/cve/CVE-2022-35838>)5.0Critical \n[CVE-2022-35834](<https://vulners.com/cve/CVE-2022-35834>)5.0Critical\n\n### *KB list*:\n[5017392](<http://support.microsoft.com/kb/5017392>) \n[5017377](<http://support.microsoft.com/kb/5017377>) \n[5017316](<http://support.microsoft.com/kb/5017316>) \n[5017327](<http://support.microsoft.com/kb/5017327>) \n[5017365](<http://support.microsoft.com/kb/5017365>) \n[5017367](<http://support.microsoft.com/kb/5017367>) \n[5017315](<http://support.microsoft.com/kb/5017315>) \n[5017305](<http://support.microsoft.com/kb/5017305>) \n[5017328](<http://support.microsoft.com/kb/5017328>) \n[5017308](<http://support.microsoft.com/kb/5017308>) \n[5017370](<http://support.microsoft.com/kb/5017370>) \n[5026363](<http://support.microsoft.com/kb/5026363>) \n[5026382](<http://support.microsoft.com/kb/5026382>) \n[5026456](<http://support.microsoft.com/kb/5026456>) \n[5026362](<http://support.microsoft.com/kb/5026362>) \n[5026370](<http://support.microsoft.com/kb/5026370>) \n[5026368](<http://support.microsoft.com/kb/5026368>) \n[5026361](<http://support.microsoft.com/kb/5026361>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "kaspersky", "title": "KLA19245 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-26928", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34723", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35838", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006", "CVE-2022-38011", "CVE-2022-38019"], "modified": "2023-05-11T00:00:00", "id": "KLA19245", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19245/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T15:15:13", "description": "### *Detect date*:\n04/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-26917](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26917>) \n[CVE-2022-26803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26803>) \n[CVE-2022-26788](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26788>) \n[CVE-2022-24485](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24485>) \n[CVE-2022-26822](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26822>) \n[CVE-2022-26802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26802>) \n[CVE-2022-24498](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24498>) \n[CVE-2022-24536](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24536>) \n[CVE-2022-26813](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26813>) \n[CVE-2022-24533](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24533>) \n[CVE-2022-26903](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26903>) \n[CVE-2022-26801](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26801>) \n[CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) \n[CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>) \n[CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>) \n[CVE-2022-26796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26796>) \n[CVE-2022-26916](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26916>) \n[CVE-2022-26812](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26812>) \n[CVE-2022-26821](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26821>) \n[CVE-2022-21983](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21983>) \n[CVE-2022-26915](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26915>) \n[CVE-2022-26829](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26829>) \n[CVE-2022-24534](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24534>) \n[CVE-2022-24499](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24499>) \n[CVE-2022-26831](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26831>) \n[CVE-2022-24542](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24542>) \n[CVE-2022-24528](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24528>) \n[CVE-2022-26810](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26810>) \n[CVE-2022-26792](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26792>) \n[CVE-2022-26918](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26918>) \n[CVE-2022-26815](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26815>) \n[CVE-2022-24494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24494>) \n[CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>) \n[CVE-2022-26819](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26819>) \n[CVE-2022-24492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24492>) \n[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) \n[CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>) \n[CVE-2022-24493](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24493>) \n[CVE-2022-26798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26798>) \n[CVE-2022-26807](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26807>) \n[CVE-2022-24530](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24530>) \n[CVE-2022-26787](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26787>) \n[CVE-2022-26797](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26797>) \n[CVE-2022-24481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24481>) \n[CVE-2022-24474](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24474>) \n[CVE-2022-26827](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26827>) \n[CVE-2022-24544](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24544>) \n[CVE-2022-24540](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24540>) \n[CVE-2022-26790](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26790>) \n[CVE-2022-26794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26794>) \n[CVE-2022-26820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26820>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5012658](<http://support.microsoft.com/kb/5012658>) \n[5012626](<http://support.microsoft.com/kb/5012626>) \n[5012632](<http://support.microsoft.com/kb/5012632>) \n[5012649](<http://support.microsoft.com/kb/5012649>) \n[5013999](<http://support.microsoft.com/kb/5013999>) \n[5014012](<http://support.microsoft.com/kb/5014012>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "kaspersky", "title": "KLA12509 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-15T00:00:00", "id": "KLA12509", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12509/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-10T15:15:27", "description": "### *Detect date*:\n04/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 21H2 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Upgrade Assistant \nHEVC Video Extension \nHEVC Video Extensions\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-26917](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26917>) \n[CVE-2022-26803](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26803>) \n[CVE-2022-26788](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26788>) \n[CVE-2022-26791](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26791>) \n[CVE-2022-26789](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26789>) \n[CVE-2022-26825](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26825>) \n[CVE-2022-26822](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26822>) \n[CVE-2022-26802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26802>) \n[CVE-2022-26795](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26795>) \n[CVE-2022-26920](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26920>) \n[CVE-2022-26813](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26813>) \n[CVE-2022-26801](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26801>) \n[CVE-2022-26796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26796>) \n[CVE-2022-26916](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26916>) \n[CVE-2022-26812](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26812>) \n[CVE-2022-26793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26793>) \n[CVE-2022-26821](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26821>) \n[CVE-2022-24549](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24549>) \n[CVE-2022-26915](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26915>) \n[CVE-2022-26831](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26831>) \n[CVE-2022-26828](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26828>) \n[CVE-2022-26810](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26810>) \n[CVE-2022-26792](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26792>) \n[CVE-2022-26786](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26786>) \n[CVE-2022-26918](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26918>) \n[CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>) \n[CVE-2022-26819](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26819>) \n[CVE-2022-26826](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26826>) \n[CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) \n[CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>) \n[CVE-2022-26808](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26808>) \n[CVE-2022-26798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26798>) \n[CVE-2022-26807](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26807>) \n[CVE-2022-26824](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26824>) \n[CVE-2022-26787](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26787>) \n[CVE-2022-26797](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26797>) \n[CVE-2022-26827](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26827>) \n[CVE-2022-26823](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26823>) \n[CVE-2022-26790](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26790>) \n[CVE-2022-26794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26794>) \n[CVE-2022-26811](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26811>) \n[CVE-2022-26820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26820>) \n[CVE-2022-24479](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24479>) \n[CVE-2022-23257](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257>) \n[CVE-2022-26784](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26784>) \n[CVE-2022-24539](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24539>) \n[CVE-2022-24485](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24485>) \n[CVE-2022-24489](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24489>) \n[CVE-2022-24498](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24498>) \n[CVE-2022-24536](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24536>) \n[CVE-2022-24533](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24533>) \n[CVE-2022-26903](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26903>) \n[CVE-2022-24538](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24538>) \n[CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) \n[CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>) \n[CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>) \n[CVE-2022-24545](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24545>) \n[CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) \n[CVE-2022-23268](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23268>) \n[CVE-2022-26818](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26818>) \n[CVE-2022-24543](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24543>) \n[CVE-2022-21983](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21983>) \n[CVE-2022-24537](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24537>) \n[CVE-2022-26829](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26829>) \n[CVE-2022-22008](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22008>) \n[CVE-2022-24534](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24534>) \n[CVE-2022-24499](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24499>) \n[CVE-2022-24542](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24542>) \n[CVE-2022-24528](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24528>) \n[CVE-2022-24487](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24487>) \n[CVE-2022-26830](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26830>) \n[CVE-2022-24490](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24490>) \n[CVE-2022-24488](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24488>) \n[CVE-2022-26815](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26815>) \n[CVE-2022-24494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24494>) \n[CVE-2022-24483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24483>) \n[CVE-2022-24484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24484>) \n[CVE-2022-26814](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26814>) \n[CVE-2022-24532](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24532>) \n[CVE-2022-24492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24492>) \n[CVE-2022-22009](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22009>) \n[CVE-2022-24493](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24493>) \n[CVE-2022-24496](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24496>) \n[CVE-2022-26785](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26785>) \n[CVE-2022-26783](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26783>) \n[CVE-2022-24530](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24530>) \n[CVE-2022-26817](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26817>) \n[CVE-2022-24481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24481>) \n[CVE-2022-24474](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24474>) \n[CVE-2022-24546](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24546>) \n[CVE-2022-24486](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24486>) \n[CVE-2022-24547](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24547>) \n[CVE-2022-24544](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24544>) \n[CVE-2022-24540](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24540>) \n[CVE-2022-24495](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24495>) \n[CVE-2022-26816](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26816>) \n[CVE-2022-26914](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26914>) \n[CVE-2022-24550](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24550>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5012653](<http://support.microsoft.com/kb/5012653>) \n[5012647](<http://support.microsoft.com/kb/5012647>) \n[5012599](<http://support.microsoft.com/kb/5012599>) \n[5012596](<http://support.microsoft.com/kb/5012596>) \n[5012666](<http://support.microsoft.com/kb/5012666>) \n[5012639](<http://support.microsoft.com/kb/5012639>) \n[5012592](<http://support.microsoft.com/kb/5012592>) \n[5012604](<http://support.microsoft.com/kb/5012604>) \n[5012591](<http://support.microsoft.com/kb/5012591>) \n[5012650](<http://support.microsoft.com/kb/5012650>) \n[5012670](<http://support.microsoft.com/kb/5012670>) \n[5023706](<http://support.microsoft.com/kb/5023706>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "kaspersky", "title": "KLA12502 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24532", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24543", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-03-20T00:00:00", "id": "KLA12502", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12502/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-17T16:34:47", "description": "The Microsoft Dynamics 365 (on-premises) is missing a security update. It is, therefore, affected by the following vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to execute unauthorized arbitrary commands in the context of the db_owner. (CVE-2022-34700, CVE-2022-35085)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-14T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Dynamics 365 (on-premises) (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-34700", "CVE-2022-35085", "CVE-2022-35805"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:microsoft:dynamics_365"], "id": "SMB_NT_MS22_SEP_MICROSOFT_DYNAMICS.NASL", "href": "https://www.tenable.com/plugins/nessus/165072", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165072);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2022-34700\", \"CVE-2022-35805\");\n script_xref(name:\"MSKB\", value:\"5017226\");\n script_xref(name:\"MSKB\", value:\"5017524\");\n script_xref(name:\"MSFT\", value:\"MS22-5017226\");\n script_xref(name:\"MSFT\", value:\"MS22-5017524\");\n script_xref(name:\"IAVA\", value:\"2022-A-0377\");\n\n script_name(english:\"Security Updates for Microsoft Dynamics 365 (on-premises) (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Dynamics 365 (on-premises) is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Dynamics 365 (on-premises) is missing a security update. It is, therefore, affected by the following\nvulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to execute unauthorized arbitrary\n commands in the context of the db_owner. (CVE-2022-34700, CVE-2022-35085)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-gb/topic/service-update-1-12-for-microsoft-dynamics-crm-on-premises-9-1-8d9a5138-241d-4a90-832e-826cc1015326\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f252a50\");\n # https://support.microsoft.com/en-gb/topic/service-update-0-40-for-microsoft-dynamics-crm-on-premises-9-0-8c3976f4-b756-4282-a0a2-d77d2ed40466\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cba5f67\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5017226\n -KB5017524\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35805\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:dynamics_365\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_dynamics_365_detect.nbin\");\n script_require_keys(\"installed_sw/Microsoft Dynamics 365 Server\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app = 'Microsoft Dynamics 365 Server';\nvar app_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nvar constraints = [\n { 'min_version' : '9.0', 'fixed_version' : '9.0.40.5', 'fixed_display' : 'Update v9.0 (on-premises) Update 0.40' },\n { 'min_version' : '9.1', 'fixed_version' : '9.1.12.17', 'fixed_display' : 'Update v9.1 (on-premises) Update 1.12' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:18", "description": "The remote Windows host is missing security update 5017371. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017371: Windows Server 2008 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017371.NASL", "href": "https://www.tenable.com/plugins/nessus/165004", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165004);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37964\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017358\");\n script_xref(name:\"MSKB\", value:\"5017371\");\n script_xref(name:\"MSFT\", value:\"MS22-5017358\");\n script_xref(name:\"MSFT\", value:\"MS22-5017371\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n\n script_name(english:\"KB5017371: Windows Server 2008 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017371. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017371\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017371\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017371 or Cumulative Update 5017358\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017371',\n '5017358'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017371, 5017358])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:23", "description": "The remote Windows host is missing security update 5017377. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017377: Windows Server 2012 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017377.NASL", "href": "https://www.tenable.com/plugins/nessus/165007", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165007);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017370\");\n script_xref(name:\"MSKB\", value:\"5017377\");\n script_xref(name:\"MSFT\", value:\"MS22-5017370\");\n script_xref(name:\"MSFT\", value:\"MS22-5017377\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017377: Windows Server 2012 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017377. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017370\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017370\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017377\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017377 or Cumulative Update 5017370\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017377',\n '5017370'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017377, 5017370])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:06", "description": "The remote Windows host is missing security update 5017327. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017327: Windows 10 LTS 1507 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26928", "CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017327.NASL", "href": "https://www.tenable.com/plugins/nessus/165006", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165006);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26928\",\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017327\");\n script_xref(name:\"MSFT\", value:\"MS22-5017327\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017327: Windows 10 LTS 1507 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017327. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017327\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017327\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017327'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017327])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:46", "description": "The remote Windows host is missing security update 5017373. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017373: Windows Server 2008 R2 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017373.NASL", "href": "https://www.tenable.com/plugins/nessus/165002", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165002);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37964\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017361\");\n script_xref(name:\"MSKB\", value:\"5017373\");\n script_xref(name:\"MSFT\", value:\"MS22-5017361\");\n script_xref(name:\"MSFT\", value:\"MS22-5017373\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017373: Windows Server 2008 R2 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017373. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017361\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017361\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017373\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017373 or Cumulative Update 5017361\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017373',\n '5017361'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017373, 5017361])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:24", "description": "The remote Windows host is missing security update 5017308. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017308: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26928", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017308.NASL", "href": "https://www.tenable.com/plugins/nessus/164994", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164994);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26928\",\n \"CVE-2022-30170\",\n \"CVE-2022-30196\",\n \"CVE-2022-30200\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37954\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37957\",\n \"CVE-2022-37958\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017308\");\n script_xref(name:\"MSFT\", value:\"MS22-5017308\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017308: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017308. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017308\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017308\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017308\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017308'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvar os_name = get_kb_item(\"SMB/ProductName\");\n\nif ( ( (\"enterprise\" >< tolower(os_name) || \"education\" >< tolower(os_name))\n &&\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017308]) \n )\n ||\n smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017308])\n || \n smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017308])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:43", "description": "The remote Windows host is missing security update 5017365. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017365: Windows Server 2012 R2 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017365.NASL", "href": "https://www.tenable.com/plugins/nessus/165005", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165005);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017365\");\n script_xref(name:\"MSKB\", value:\"5017367\");\n script_xref(name:\"MSFT\", value:\"MS22-5017365\");\n script_xref(name:\"MSFT\", value:\"MS22-5017367\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017365: Windows Server 2012 R2 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017365. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\n - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-33647, CVE-2022-33679)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017367\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017367\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017365 or Cumulative Update 5017367\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017367',\n '5017365'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017367, 5017365])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:24", "description": "The remote Windows host is missing security update 5017392. It is, therefore, affected by multiple vulnerabilities\n\n - HTTP V3 Denial of Service Vulnerability (CVE-2022-35838)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017392: Windows Server 2022 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35838", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017392.NASL", "href": "https://www.tenable.com/plugins/nessus/165000", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165000);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-30170\",\n \"CVE-2022-30196\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35838\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37954\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017392\");\n script_xref(name:\"MSFT\", value:\"MS22-5017392\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017392: Windows Server 2022 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017392. It is, therefore, affected by multiple vulnerabilities\n\n - HTTP V3 Denial of Service Vulnerability (CVE-2022-35838)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017316\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017316\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017392\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017392\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017316',\n '5017392'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017316, 5017392])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:43", "description": "The remote Windows host is missing security update 5017328. It is, therefore, affected by multiple vulnerabilities\n\n - Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. (CVE-2022-23960)\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017328: Windows 11 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-23960", "CVE-2022-26928", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34723", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35838", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017328.NASL", "href": "https://www.tenable.com/plugins/nessus/164998", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164998);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2022-23960\",\n \"CVE-2022-26928\",\n \"CVE-2022-30170\",\n \"CVE-2022-30196\",\n \"CVE-2022-30200\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34723\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35838\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37954\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37957\",\n \"CVE-2022-37958\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017328\");\n script_xref(name:\"MSFT\", value:\"MS22-5017328\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017328: Windows 11 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017328. It is, therefore, affected by multiple vulnerabilities\n\n - Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation,\n aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to\n influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive\n information. (CVE-2022-23960)\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017328\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017328\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017328\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-23960\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017328'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_NOTE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017328])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_note();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:46", "description": "The remote Windows host is missing security update 5017305. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017305: Windows 10 Version 1607 and Windows Server 2016 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26928", "CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017305.NASL", "href": "https://www.tenable.com/plugins/nessus/164996", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164996);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26928\",\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37957\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017305\");\n script_xref(name:\"MSFT\", value:\"MS22-5017305\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017305: Windows 10 Version 1607 and Windows Server 2016 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017305. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2022-30200)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017305\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017305\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017305'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017305])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:46", "description": "The remote Windows host is missing security update 5017315. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-13T00:00:00", "type": "nessus", "title": "KB5017315: Windows 10 version 1809 / Windows Server 2019 Security Update (September 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26928", "CVE-2022-26929", "CVE-2022-30170", "CVE-2022-30196", "CVE-2022-30200", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34719", "CVE-2022-34720", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34725", "CVE-2022-34726", "CVE-2022-34727", "CVE-2022-34728", "CVE-2022-34729", "CVE-2022-34730", "CVE-2022-34731", "CVE-2022-34732", "CVE-2022-34733", "CVE-2022-34734", "CVE-2022-35803", "CVE-2022-35830", "CVE-2022-35831", "CVE-2022-35832", "CVE-2022-35833", "CVE-2022-35834", "CVE-2022-35835", "CVE-2022-35836", "CVE-2022-35837", "CVE-2022-35840", "CVE-2022-35841", "CVE-2022-37954", "CVE-2022-37955", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37958", "CVE-2022-37959", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38005", "CVE-2022-38006"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_SEP_5017315.NASL", "href": "https://www.tenable.com/plugins/nessus/164997", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164997);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2022-26928\",\n \"CVE-2022-26929\",\n \"CVE-2022-30170\",\n \"CVE-2022-30196\",\n \"CVE-2022-30200\",\n \"CVE-2022-33647\",\n \"CVE-2022-33679\",\n \"CVE-2022-34718\",\n \"CVE-2022-34719\",\n \"CVE-2022-34720\",\n \"CVE-2022-34721\",\n \"CVE-2022-34722\",\n \"CVE-2022-34724\",\n \"CVE-2022-34725\",\n \"CVE-2022-34726\",\n \"CVE-2022-34727\",\n \"CVE-2022-34728\",\n \"CVE-2022-34729\",\n \"CVE-2022-34730\",\n \"CVE-2022-34731\",\n \"CVE-2022-34732\",\n \"CVE-2022-34733\",\n \"CVE-2022-34734\",\n \"CVE-2022-35803\",\n \"CVE-2022-35830\",\n \"CVE-2022-35831\",\n \"CVE-2022-35832\",\n \"CVE-2022-35833\",\n \"CVE-2022-35834\",\n \"CVE-2022-35835\",\n \"CVE-2022-35836\",\n \"CVE-2022-35837\",\n \"CVE-2022-35840\",\n \"CVE-2022-35841\",\n \"CVE-2022-37954\",\n \"CVE-2022-37955\",\n \"CVE-2022-37956\",\n \"CVE-2022-37957\",\n \"CVE-2022-37958\",\n \"CVE-2022-37959\",\n \"CVE-2022-37969\",\n \"CVE-2022-38004\",\n \"CVE-2022-38005\",\n \"CVE-2022-38006\"\n );\n script_xref(name:\"MSKB\", value:\"5017315\");\n script_xref(name:\"MSFT\", value:\"MS22-5017315\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/05\");\n script_xref(name:\"IAVA\", value:\"2022-A-0376-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0369-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0368-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0042\");\n\n script_name(english:\"KB5017315: Windows 10 version 1809 / Windows Server 2019 Security Update (September 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5017315. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Photo Import API Elevation of Privilege Vulnerability (CVE-2022-26928)\n\n - Windows Credential Roaming Service Elevation of Privilege Vulnerability (CVE-2022-30170)\n\n - Windows Secure Channel Denial of Service Vulnerability (CVE-2022-30196, CVE-2022-35833)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5017315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5017315\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5017315\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35840\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-34722\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-09';\nkbs = make_list(\n '5017315'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'09_2022',\n bulletin:bulletin,\n rollup_kb_list:[5017315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012632 or cumulative update 5012658. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917, CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983, \tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26797, CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801, CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012632: Windows Server 2008 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012632.NASL", "href": "https://www.tenable.com/plugins/nessus/159684", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159684);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012632\");\n script_xref(name:\"MSKB\", value:\"5012658\");\n script_xref(name:\"MSFT\", value:\"MS22-5012632\");\n script_xref(name:\"MSFT\", value:\"MS22-5012658\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012632: Windows Server 2008 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012632\nor cumulative update 5012658. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916,\n CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917,\n CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983,\n\tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26797,\n CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801,\n CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012632\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012658\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012632 or Cumulative Update 5012658\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012658',\n '5012632'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012658, 5012632])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:35", "description": "The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.5 Monterey. It is, therefore, affected by multiple vulnerabilities :\n\n - Exploitation of this vulnerability may lead to memory corruption issue. (CVE-2022-32787)\n\n - Exploitation of this vulnerability may to disclose kernel memory. (CVE-2022-32793)\n\n - Exploitation of this vulnerability may lead to gain elevated privileges. (CVE-2022-32798)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2022-08-19T00:00:00", "type": "nessus", "title": "macOS 12.x < 12.5 (HT213345)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-28544", "CVE-2022-2294", "CVE-2022-24070", "CVE-2022-26981", "CVE-2022-29046", "CVE-2022-29048", "CVE-2022-32785", "CVE-2022-32786", "CVE-2022-32787", "CVE-2022-32789", "CVE-2022-32792", "CVE-2022-32793", "CVE-2022-32796", "CVE-2022-32797", "CVE-2022-32798", "CVE-2022-32799", "CVE-2022-32800", "CVE-2022-32801", "CVE-2022-32805", "CVE-2022-32807", "CVE-2022-32810", "CVE-2022-32811", "CVE-2022-32812", "CVE-2022-32813", "CVE-2022-32814", "CVE-2022-32815", "CVE-2022-32816", "CVE-2022-32817", "CVE-2022-32818", "CVE-2022-32819", "CVE-2022-32820", "CVE-2022-32821", "CVE-2022-32823", "CVE-2022-32825", "CVE-2022-32826", "CVE-2022-32828", "CVE-2022-32829", "CVE-2022-32831", "CVE-2022-32832", "CVE-2022-32834", "CVE-2022-32837", "CVE-2022-32838", "CVE-2022-32839", "CVE-2022-32840", "CVE-2022-32841", "CVE-2022-32842", "CVE-2022-32843", "CVE-2022-32845", "CVE-2022-32847", "CVE-2022-32848", "CVE-2022-32849", "CVE-2022-32851", "CVE-2022-32852", "CVE-2022-32853", "CVE-2022-32857"], "modified": "2022-12-15T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213345.NASL", "href": "https://www.tenable.com/plugins/nessus/164291", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164291);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/15\");\n\n script_cve_id(\n \"CVE-2021-28544\",\n \"CVE-2022-2294\",\n \"CVE-2022-24070\",\n \"CVE-2022-26981\",\n \"CVE-2022-29046\",\n \"CVE-2022-29048\",\n \"CVE-2022-32785\",\n \"CVE-2022-32786\",\n \"CVE-2022-32787\",\n \"CVE-2022-32789\",\n \"CVE-2022-32792\",\n \"CVE-2022-32793\",\n \"CVE-2022-32796\",\n \"CVE-2022-32797\",\n \"CVE-2022-32798\",\n \"CVE-2022-32799\",\n \"CVE-2022-32800\",\n \"CVE-2022-32801\",\n \"CVE-2022-32805\",\n \"CVE-2022-32807\",\n \"CVE-2022-32810\",\n \"CVE-2022-32811\",\n \"CVE-2022-32812\",\n \"CVE-2022-32813\",\n \"CVE-2022-32814\",\n \"CVE-2022-32815\",\n \"CVE-2022-32816\",\n \"CVE-2022-32817\",\n \"CVE-2022-32818\",\n \"CVE-2022-32819\",\n \"CVE-2022-32820\",\n \"CVE-2022-32821\",\n \"CVE-2022-32823\",\n \"CVE-2022-32825\",\n \"CVE-2022-32826\",\n \"CVE-2022-32828\",\n \"CVE-2022-32829\",\n \"CVE-2022-32831\",\n \"CVE-2022-32832\",\n \"CVE-2022-32834\",\n \"CVE-2022-32837\",\n \"CVE-2022-32838\",\n \"CVE-2022-32839\",\n \"CVE-2022-32840\",\n \"CVE-2022-32841\",\n \"CVE-2022-32842\",\n \"CVE-2022-32843\",\n \"CVE-2022-32845\",\n \"CVE-2022-32847\",\n \"CVE-2022-32848\",\n \"CVE-2022-32849\",\n \"CVE-2022-32851\",\n \"CVE-2022-32852\",\n \"CVE-2022-32853\",\n \"CVE-2022-32857\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT213345\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2022-07-20\");\n script_xref(name:\"IAVA\", value:\"2022-A-0295-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0442-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"macOS 12.x < 12.5 (HT213345)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update or supplemental update that fixes multiple\nvulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.5 Monterey. It is, therefore, \naffected by multiple vulnerabilities :\n\n - Exploitation of this vulnerability may lead to memory corruption issue. (CVE-2022-32787)\n\n - Exploitation of this vulnerability may to disclose kernel memory. (CVE-2022-32793)\n\n - Exploitation of this vulnerability may lead to gain elevated privileges. (CVE-2022-32798)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-gb/HT213345\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 12.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26981\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-32845\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\nvar constraints = [\n {\n 'min_version': '12.0', \n 'fixed_version': '12.5', \n 'fixed_display': 'macOS Monterey 12.5'\n }\n];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012653. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012653.NASL", "href": "https://www.tenable.com/plugins/nessus/159680", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159680);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26831\",\n \"CVE-2022-26832\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012653\");\n script_xref(name:\"MSFT\", value:\"MS22-5012653\");\n script_xref(name:\"IAVA\", value:\"2022-A-0143-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012653. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, \n CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, \n CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, \n CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, \n CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493, CVE-2022-24498,\n CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012653\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012653\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012653'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012653])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:11", "description": "The remote Windows host is missing security update 5012666 or cumulative update 5012650. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26812, CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916, CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528, CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26796, CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807, CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801, CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012666: Windows Server 2012 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26784", "CVE-2022-26787", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012666.NASL", "href": "https://www.tenable.com/plugins/nessus/159676", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159676);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26784\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012650\");\n script_xref(name:\"MSKB\", value:\"5012666\");\n script_xref(name:\"MSFT\", value:\"MS22-5012650\");\n script_xref(name:\"MSFT\", value:\"MS22-5012666\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012666: Windows Server 2012 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012666\nor cumulative update 5012650. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26812,\n CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916,\n CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528,\n CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26796,\n CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807,\n CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801,\n CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012650\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012666 or Cumulative Update 5012650\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012666',\n '5012650'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012666, 5012650])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:38", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012639. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012649: Windows 7 and Windows Server 2008 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012649.NASL", "href": "https://www.tenable.com/plugins/nessus/159672", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159672);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012626\");\n script_xref(name:\"MSKB\", value:\"5012649\");\n script_xref(name:\"MSFT\", value:\"MS22-5012626\");\n script_xref(name:\"MSFT\", value:\"MS22-5012649\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012649: Windows 7 and Windows Server 2008 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012639. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012626\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5012649 or Cumulative Update KB5012626.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012649',\n '5012626'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012649, 5012626])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:40", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012670. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-24484, CVE-2022-24538, CVE-2022-26784, CVE-2022-26831, CVE-2022-26915)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012670: Windows Server 2012 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26784", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012639.NASL", "href": "https://www.tenable.com/plugins/nessus/159682", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159682);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24550\",\n \"CVE-2022-26784\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012639\");\n script_xref(name:\"MSKB\", value:\"5012670\");\n script_xref(name:\"MSFT\", value:\"MS22-5012639\");\n script_xref(name:\"MSFT\", value:\"MS22-5012670\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012670: Windows Server 2012 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012670. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-24484,\n CVE-2022-24538, CVE-2022-26784, CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012639 or Cumulative Update 5012670\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012670',\n '5012639'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012670, 5012639])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:05", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24479, CVE-2022-24481, CVE-2022-24486, CVE-2022-24494, CVE-2022-24496, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24546, CVE-2022-24547, CVE-2022-24549, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26789, CVE-2022-26790, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26828, CVE-2022-26904, CVE-2022-26914)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24487, CVE-2022-24491, CVE-2022-24492, CVE-2022-24495, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24537, CVE-2022-24541, CVE-2022-24545, CVE-2022-26809, CVE-2022-26826, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498, CVE-2022-26920)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012591.NASL", "href": "https://www.tenable.com/plugins/nessus/159679", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159679);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24537\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012591\");\n script_xref(name:\"MSFT\", value:\"MS22-5012591\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24479, CVE-2022-24481,\n CVE-2022-24486, CVE-2022-24494, CVE-2022-24496,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24546, CVE-2022-24547,\n CVE-2022-24549, CVE-2022-24550, CVE-2022-26786,\n CVE-2022-26787, CVE-2022-26788, CVE-2022-26789,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26793,\n CVE-2022-26794, CVE-2022-26795, CVE-2022-26796,\n CVE-2022-26797, CVE-2022-26798, CVE-2022-26801,\n CVE-2022-26802, CVE-2022-26803, CVE-2022-26807,\n CVE-2022-26808, CVE-2022-26810, CVE-2022-26827,\n CVE-2022-26828, CVE-2022-26904, CVE-2022-26914)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24487,\n CVE-2022-24491, CVE-2022-24492, CVE-2022-24495,\n CVE-2022-24500, CVE-2022-24528, CVE-2022-24533,\n CVE-2022-24534, CVE-2022-24537, CVE-2022-24541,\n CVE-2022-24545, CVE-2022-26809, CVE-2022-26826,\n CVE-2022-26903, CVE-2022-26916, CVE-2022-26917,\n CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498, CVE-2022-26920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012591\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012591'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012591])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:04", "description": "The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831 CVE-2022-26915, CVE-2022-23268) \n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012592: Windows 11 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26826", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012592.NASL", "href": "https://www.tenable.com/plugins/nessus/159671", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159671);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-23268\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24537\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26826\",\n \"CVE-2022-26830\",\n \"CVE-2022-26831\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012592\");\n script_xref(name:\"MSFT\", value:\"MS22-5012592\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012592: Windows 11 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831\n CVE-2022-26915, CVE-2022-23268)\n \n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, \n CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, \n CVE-2022-24545, CVE-2022-24541, CVE-2022-24492,\n CVE-2022-24491, CVE-2022-24537, CVE-2022-24487,\n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533,\n CVE-2022-24495, CVE-2022-24528, CVE-2022-23257,\n CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, \n CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26920, CVE-2022-24493, \n CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26789, \n CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, \n CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, \n CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, \n CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, \n CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, \n CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, \n CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, \n CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, \n CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012592\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012592\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012592'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'22000',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012592])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:40", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26823, CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012596.NASL", "href": "https://www.tenable.com/plugins/nessus/159677", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159677);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26832\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012596\");\n script_xref(name:\"MSFT\", value:\"MS22-5012596\");\n script_xref(name:\"IAVA\", value:\"2022-A-0143-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, \n CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, \n CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, \n CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, \n CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, \n CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26823, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, \n CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, \n CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, \n CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, \n CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, \n CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-24493, \n CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, \n CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012596\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012596\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012596'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012596])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:26", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26790, CVE-2022-26828, CVE-2022-26827, CVE-2022-26807, CVE-2022-26796, CVE-2022-26798, CVE-2022-26808, CVE-2022-26810, CVE-2022-26803, CVE-2022-26802, CVE-2022-26801, CVE-2022-26794, CVE-2022-26792, CVE-2022-26904, CVE-2022-26788, CVE-2022-26793, CVE-2022-26914, CVE-2022-26789, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26795, CVE-2022-26786, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26824, CVE-2022-26812, CVE-2022-26919, CVE-2022-26918, CVE-2022-26809, CVE-2022-26825, CVE-2022-26916, CVE-2022-26819, CVE-2022-26817, CVE-2022-26815, CVE-2022-26814, CVE-2022-26823, CVE-2022-26811, CVE-2022-26829, CVE-2022-26821, CVE-2022-26917, CVE-2022-26820, CVE-2022-26826, CVE-2022-26818, CVE-2022-26822, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012647: Windows 10 version 1809 / Windows Server 2019 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012647.NASL", "href": "https://www.tenable.com/plugins/nessus/159675", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159675);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012647\");\n script_xref(name:\"MSFT\", value:\"MS22-5012647\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012647: Windows 10 version 1809 / Windows Server 2019 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26790, CVE-2022-26828, CVE-2022-26827, \n CVE-2022-26807, CVE-2022-26796, CVE-2022-26798, \n CVE-2022-26808, CVE-2022-26810, CVE-2022-26803, \n CVE-2022-26802, CVE-2022-26801, CVE-2022-26794, \n CVE-2022-26792, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-26793, CVE-2022-26914, CVE-2022-26789, \n CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, \n CVE-2022-26795, CVE-2022-26786, CVE-2022-24496, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, \n CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, \n CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, \n CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, \n CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26824, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26918, \n CVE-2022-26809, CVE-2022-26825, CVE-2022-26916, \n CVE-2022-26819, CVE-2022-26817, CVE-2022-26815, \n CVE-2022-26814, CVE-2022-26823, CVE-2022-26811, \n CVE-2022-26829, CVE-2022-26821, CVE-2022-26917, \n CVE-2022-26820, CVE-2022-26826, CVE-2022-26818, \n CVE-2022-26822, CVE-2022-26813, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26920, CVE-2022-26816, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012647\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012647\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012647'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012647])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:25", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26803, CVE-2022-26801, CVE-2022-26796, CVE-2022-26787, CVE-2022-26797, CVE-2022-26827, CVE-2022-26810, CVE-2022-26808, CVE-2022-26798, CVE-2022-24549, CVE-2022-26795, CVE-2022-26791, CVE-2022-26794, CVE-2022-26904, CVE-2022-26792, CVE-2022-26807, CVE-2022-26788, CVE-2022-26828, CVE-2022-26790, CVE-2022-26914, CVE-2022-26793, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26917, CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, CVE-2022-26919, CVE-2022-26823, CVE-2022-26809, CVE-2022-26824, CVE-2022-26818, CVE-2022-26815, CVE-2022-26814, CVE-2022-26822, CVE-2022-26918, CVE-2022-26829, CVE-2022-26820, CVE-2022-26826, CVE-2022-26819, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-26920, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012599: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012599.NASL", "href": "https://www.tenable.com/plugins/nessus/159685", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159685);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26791\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012599\");\n script_xref(name:\"MSFT\", value:\"MS22-5012599\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012599: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802,\n CVE-2022-26803, CVE-2022-26801, CVE-2022-26796,\n CVE-2022-26787, CVE-2022-26797, CVE-2022-26827,\n CVE-2022-26810, CVE-2022-26808, CVE-2022-26798,\n CVE-2022-24549, CVE-2022-26795, CVE-2022-26791, \n CVE-2022-26794, CVE-2022-26904, CVE-2022-26792,\n CVE-2022-26807, CVE-2022-26788, CVE-2022-26828, \n CVE-2022-26790, CVE-2022-26914, CVE-2022-26793, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, \n CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, \n CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26917, \n CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, \n CVE-2022-26919, CVE-2022-26823, CVE-2022-26809, \n CVE-2022-26824, CVE-2022-26818, CVE-2022-26815, \n CVE-2022-26814, CVE-2022-26822, CVE-2022-26918, \n CVE-2022-26829, CVE-2022-26820, CVE-2022-26826, \n CVE-2022-26819, CVE-2022-26825, CVE-2022-26817, \n CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, \n CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-26920, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012599\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012599'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:19042,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n|| smb_check_rollup(os:'10',\n sp:0,\n os_build:19043,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n|| smb_check_rollup(os:'10',\n sp:0,\n os_build:19044,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:50", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26786, CVE-2022-26787, CVE-2022-26827, CVE-2022-26789, CVE-2022-26810, CVE-2022-26803, CVE-2022-26802, CVE-2022-26801, CVE-2022-26828, CVE-2022-26808, CVE-2022-26788, CVE-2022-26790, CVE-2022-24549, CVE-2022-26914, CVE-2022-26798, CVE-2022-26795, CVE-2022-26793, CVE-2022-26796, CVE-2022-26904, CVE-2022-26807, CVE-2022-26797, CVE-2022-26794, CVE-2022-26792, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831, CVE-2022-24538, CVE-2022-24484, CVE-2022-23268, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26917, CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26919, CVE-2022-26820, CVE-2022-26830, CVE-2022-26818, CVE-2022-26815, CVE-2022-26809, CVE-2022-26814, CVE-2022-26822, CVE-2022-26829, CVE-2022-26819, CVE-2022-26918, CVE-2022-26826, CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-26920, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012604: Windows Server 2022 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2023-02-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012604.NASL", "href": "https://www.tenable.com/plugins/nessus/159681", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159681);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/03\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-23268\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26830\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012604\");\n script_xref(name:\"MSFT\", value:\"MS22-5012604\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012604: Windows Server 2022 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26786, CVE-2022-26787, CVE-2022-26827, \n CVE-2022-26789, CVE-2022-26810, CVE-2022-26803, \n CVE-2022-26802, CVE-2022-26801, CVE-2022-26828, \n CVE-2022-26808, CVE-2022-26788, CVE-2022-26790, \n CVE-2022-24549, CVE-2022-26914, CVE-2022-26798, \n CVE-2022-26795, CVE-2022-26793, CVE-2022-26796, \n CVE-2022-26904, CVE-2022-26807, CVE-2022-26797, \n CVE-2022-26794, CVE-2022-26792, CVE-2022-24496, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, \n CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, \n CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, \n CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915, \n CVE-2022-26831, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-23268, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26917, \n CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, \n CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, \n CVE-2022-26919, CVE-2022-26820, CVE-2022-26830, \n CVE-2022-26818, CVE-2022-26815, CVE-2022-26809, \n CVE-2022-26814, CVE-2022-26822, CVE-2022-26829, \n CVE-2022-26819, CVE-2022-26918, CVE-2022-26826, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, \n CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, \n CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, \n CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, \n CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-26920, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012604\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012604\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012604'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'20348',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012604])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2023-05-15T18:19:57", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22105659/programming-code-abstract-990x400.jpg)\n\n**Updated April 20, 2023**\n\nIn February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known [Common Log File System (CLFS)](<https://en.wikipedia.org/wiki/Common_Log_File_System>) driver exploits that we analyzed previously, but we decided to double check and it was worth it \u2013 one of the exploits turned out to be a zero-day, supporting different versions and builds of Windows, including Windows 11. The exploit was highly obfuscated with more than 80% of the its code being "junk" elegantly compiled into the binary, but we quickly fully reverse-engineered it and reported our findings to Microsoft. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of April Patch Tuesday.\n\nWhile the majority of zero-days that we've discovered in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we've identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as a final payload. \n[![Nokoyawa ransom note](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/11115128/Nokoyawa_ransomware_attacks_with_Windows_zero-day_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/11115128/Nokoyawa_ransomware_attacks_with_Windows_zero-day_01.png>)\n\n**_Nokoyawa ransom note_**\n\n## Elevation-of-privilege exploit\n\nThe attacker must be authenticated with user access and have the ability to run code on the target system to launch the elevation-of-privilege exploit.\n\nCLFS is a log file subsystem that was first introduced in Microsoft Windows Server 2003 R2 / Microsoft Vista and is implemented in the clfs.sys driver. This file system can be used by any application and Microsoft provides an [API](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/clfs/common-log-file-system-api>) for it. Logs are created using the [CreateLogFile](<https://learn.microsoft.com/en-us/windows/win32/api/clfsw32/nf-clfsw32-createlogfile>) function - a log is made up of a base log file (.blf file name extension) that is a master file containing metadata, and a number of containers that hold the actual data. Containers are created using the [AddLogContainer](<https://learn.microsoft.com/en-us/windows/win32/api/clfsw32/nf-clfsw32-addlogcontainer>) and [AddLogContainerSet](<https://learn.microsoft.com/en-us/windows/win32/api/clfsw32/nf-clfsw32-addlogcontainerset>) functions. As you may already guess, the base log files are the most interesting to look at. But while Microsoft provides an API for working with them, their file format is undocumented, and developers should interact with them only through the CLFS API. The file structure of base log files, when viewed briefly in a hex editor, does not seem very complicated, and Microsoft provides debug symbols for clfs.sys, so with a sufficient level of enthusiasm this format can be reverse engineered (already [done](<https://github.com/ionescu007/clfs-docs>) by Alex Ionescu). A glance at the structure of base log files instantly raises a red flag \u2013 the file consists of kernel structures as it is, and there are even fields for storing memory pointers! Combine that with the fact that, according to the API documentation, this technology is quite complicated, plus it was developed a long time ago, and we have a large number of vulnerabilities as a result. Searching for "Windows Common Log File System Driver Elevation Of Privilege Vulnerability" shows that there have been at least thirty-two such vulnerabilities (not counting CVE-2023-28252) discovered since 2018, where three of them were detected in the wild as zero-days (CVE-2022-24521, CVE-2022-37969, CVE-2023-23376).\n\nCVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend a metadata block. The vulnerability is triggered by manipulating a base log file. At this time, we will not share the names of the fields or exact values that should be written to the file in order to trigger the vulnerability, as that information could facilitate further exploitation. This is to ensure that everyone has enough time to patch their systems before other actors develop their own exploits for CVE-2023-28252. Instead, we will share some general information about the vulnerability and the way of exploiting it. \n\nThe vulnerability is triggered in the CClfsBaseFilePersisted::ExtendMetadataBlock function when this function is executed with a call to the AddLogContainer API function. There is a condition for CClfsBaseFilePersisted::ExtendMetadataBlock function to be executed, and the base log file needs to be modified for that to happen. Besides, various fields in the CONTROL and CONTROL_SHADOW metadata blocks need to be patched. The exploit modifies LogBlockHeader->ValidSectorCount and various fields in LogBlockHeader->Record[0] for both the CONTROL and CONTROL_SHADOW metadata blocks. As a result of these changes, the CClfsBaseFilePersisted::ExtendMetadataBlock function performs out-of-bounds access to the m_rgBlocks array, which contains only six elements. After that, the CClfsBaseFilePersisted::WriteMetadataBlock function will proceed to use the retrieved value from the m_rgBlocks array as a pointer to the _CLFS_LOG_BLOCK_HEADER structure to increment LogBlockHeader->Record[0]->DumpCount and LogBlockHeader->Usn. This can be used to corrupt a kernel object in the memory and obtain kernel read/write privileges if the address of the desired victim object is sprayed in the right location in the memory.\n\nThe discovered exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one. _CLFS_CONTAINER_CONTEXT is an example of the structure that gets stored in base log files, but contains a field for storing a kernel pointer. Of course, the value of this field is ignored when the structure is read from the base log file on disk, but changing in memory the offset pointing to the valid _CLFS_CONTAINER_CONTEXT structure into an offset pointing to a specially crafted malicious _CLFS_CONTAINER_CONTEXT structure makes it possible to provide a pointer to a controlled memory in a user level and obtain kernel read/write privileges with it.\n\nThe exploit leaks the addresses of kernel objects to achieve stable exploitation. This is done using the NtQuerySystemInformation function \u2013 a technique that we previously saw in other zero-days (e.g. [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>), [MysterySnail](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) APT cases). The information classes used by the exploit require Medium IL to work.\n\nWe believe that CVE-2023-28252 could have been easily discovered with the help of fuzzing. But there are already so many vulnerabilities found in this component, so if it's discoverable by fuzzing, why has it not been found before? We have a possible explanation. Examining the clfs.sys driver code in disassembler shows extensive use of try/catch blocks to catch exceptions. In many parts of the code when an exception occurs it gets masked by an exception handler and the code continues its normal execution like nothing happened. We verified that with CVE-2023-28252 a possible access violation that follows after triggering the vulnerability is masked by an exception handler. This makes us think that previously fuzzers were actually hitting this vulnerability, but because there was no crash it continued to be undiscovered. For effective fuzzing, it's necessary to keep in mind the possibility of such a scenario and to take steps to prevent it.\n\n## Post exploitation and malware\n\nWe see that the main purpose of using elevation-of-privilege exploits was to dump the contents of the HKEY_LOCAL_MACHINE\\SAM registry hive.\n\nAs for the malware, attackers use Cobalt Strike BEACON as their main tool. It's launched with a variety of custom loaders aimed to prevent AV detection.\n\nIn some of the other attacks that we attribute to the same actor, we also observed that, prior to exploiting the CLFS elevation-of-privilege vulnerability, the victim's machines were infected with a custom modular backdoor named "Pipemagic" that gets launched via an MSBuild script. At the end of last year, we published a private report about this malware for customers of the Kaspersky Intelligence Reporting service.\n\nIn attacks using the CVE-2023-28252 zero-day, this group attempted to deploy Nokoyawa ransomware as a final payload. Yearly variants of Nokoyawa were just "rebranded" variants of JSWorm ransomware, which we wrote about [previously](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). In this attack, cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase. It's written in C and has encrypted strings. It was launched with an encrypted json config provided with a "-config" command line argument.\n\n[![Decrypted and formatted config of Nokoyawa ransomware](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/10115431/Nokoyawa_ransomware_attacks_with_Windows_zero-day_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/10115431/Nokoyawa_ransomware_attacks_with_Windows_zero-day_02.png>)\n\n**_Decrypted and formatted config of Nokoyawa ransomware_**\n\n## Conclusions\n\nWe see a significantly increasing level of sophistication among cybercriminal groups. We don't often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks. Moreover, there are developers willing to help cybercriminal groups and to produce one exploit after another.\n\nWe detect the CVE-2023-28252 exploit and related malware with the verdicts:\n\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * HEUR:Trojan-Ransom.Win32.Generic\n * Win64.Agent*\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. CVE-2023-28252 is the latest addition to the long list of zero-days discovered in the wild with the help of our technologies. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\n\nMore information about this and related attacks is available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n_Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches._\n\n## Indicators of compromise\n\nAfter finishing, the exploit leaves files used for exploitation at the hard-coded path in the "C:\\Users\\Public\\" folder. Companies can check if the exploit was launched on their servers or employees' machines by looking for the presence of the "C:\\Users\\Public\\\\.container*", "C:\\Users\\Public\\MyLog*.blf", and "C:\\Users\\Public\\p_*" files.\n\n**Exploitation artifacts** \nC:\\Users\\Public\\\\.container* \nC:\\Users\\Public\\MyLog*.blf \nC:\\Users\\Public\\p_*\n\n**Exploit** \n[46168ed7dbe33ffc4179974f8bf401aa](<https://opentip.kaspersky.com/46168ed7dbe33ffc4179974f8bf401aa/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**CobaltStrike loaders** \n[1e4dd35b16ddc59c1ecf240c22b8a4c4](<https://opentip.kaspersky.com/1e4dd35b16ddc59c1ecf240c22b8a4c4/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[f23be19024fcc7c8f885dfa16634e6e7](<https://opentip.kaspersky.com/f23be19024fcc7c8f885dfa16634e6e7/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[a2313d7fdb2f8f5e5c1962e22b504a17](<https://opentip.kaspersky.com/a2313d7fdb2f8f5e5c1962e22b504a17/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**CobaltStrike C2s** \n[vnssinc[.]com](<https://opentip.kaspersky.com/vnssinc.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[qooqle[.]top](<https://opentip.kaspersky.com/qooqle.top/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[vsexec[.]com](<https://opentip.kaspersky.com/vsexec.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[devsetgroup[.]com](<https://opentip.kaspersky.com/devsetgroup.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**Nokoyawa ransomware** \n[8800e6f1501f69a0a04ce709e9fa251c](<https://opentip.kaspersky.com/8800e6f1501f69a0a04ce709e9fa251c/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-11T17:36:20", "type": "securelist", "title": "Nokoyawa ransomware attacks with Windows zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-37969", "CVE-2023-23376", "CVE-2023-28252"], "modified": "2023-04-11T17:36:20", "id": "SECURELIST:2A8910B73BBDBE37391EE4739A773C24", "href": "https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-24T17:10:52", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131757/abstract_random_red_code-990x400.jpg)\n\n## Introduction\n\nIn our crimeware reporting service, we analyze the latest crime-related trends we come across. Last month, we again posted a lot on ransomware, but we also covered other subjects, such as 1-day exploits. In this blogpost, we provide excerpts from these reports.\n\nFor questions or more information about our crimeware reporting service, please contact [crimewareintel@kaspersky.com](<mailto:crimewareintel@kaspersky.com>).\n\n## RedAlert / N13V: yet another multiplatform ransomware variant\n\nRedAlert (aka N13V) is the latest in the multiplatform ransomware trend we described [here](<https://securelist.com/new-ransomware-trends-in-2022/106457/>) and [here](<https://securelist.com/luna-black-basta-ransomware/106950/>). The difference this time, though, is that it is not written in a cross-platform language but in C \u2014 at least the Linux version that we could get our hands on, was. It does, however, explicitly support ESXi environments. For example, it has the command-line option "-w", which stops running VMs, and it also searches for VMWare-based VMs as can be seen from the screenshots below.\n\n[![Note the specific VMWare-related strings the malware looks for](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163047/Ransomware_updates__1-day_exploits_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163047/Ransomware_updates__1-day_exploits_01.png>)\n\n**_Note the specific VMWare-related strings the malware looks for_**\n\n[![Stopping VMs](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163133/Ransomware_updates__1-day_exploits_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163133/Ransomware_updates__1-day_exploits_02.png>)\n\n**_Stopping VMs_**\n\nInterestingly, the group mentions on their onion website that a decryptor is available on all platforms. Unfortunately, we could not get our hands on the other versions, so we don't know whether the decryptor is written in a cross-platform language or not.\n\nAnother aspect that sets RedAlert apart from other ransomware groups is that they only accept payments in Monero. From a criminal point of view, the advantage is that payments cannot be traced. The problem, however, is that Monero is not accepted in every country or by every exchange, making a ransom payment more difficult for the victim.\n\nSince the group is relatively young, we couldn't find out a lot about the victimology, but RedAlert stands out as an interesting example of a group that managed to adjust their code written in C to different platforms.\n\n## Monster: Ransomware with a GUI\n\nIn July, our Darknet monitoring system detected yet another new cross-platform ransomware variant: Monster. There are a couple of peculiar properties about Monster. First, unlike other new ransomware families that are written in modern cross-platform languages (e.g. Rust, Go), Monster is written in Delphi. Second, the malware has a GUI.\n\nThis latter property is especially peculiar, as we do not remember seeing this before. There are good reasons for this, because, why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack? The ransomware authors must have realized this as well, since they included the GUI as an optional command-line parameter.\n\n[![GUI used by Monster](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163241/Ransomware_updates__1-day_exploits_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/23163241/Ransomware_updates__1-day_exploits_03.png>)\n\n**_GUI used by Monster_**\n\nThe rest of the ransomware is fairly typical. RSA + AES are used, and multiple threads help to speed up the encryption and decryption process.\n\nIn terms of victimology, we found a couple of victims located all over the world (Singapore, Indonesia, Bolivia).\n\n## CVE-2022-24521: private 1-day exploits used for attacking Windows 7-11\n\nCybercriminals have the capabilities to create so-called 1-day exploits within a matter of day(s) after the vulnerability is reported or fixed. This is the reason why many security professionals urge system admins and users to install security patches as soon as possible.\n\nOne such example is CVE-2022-24521, an arbitrary pointer dereference in the Common Log File System (CLFS) driver, which has a long history of vulnerabilities. CVE-2022-24521 allows an attacker to gain system privileges on the infected device and is exploited in different ways by various actors. Although this time, it must be said it took the criminals a little bit longer than usual to develop an exploit: two weeks after the vulnerability was disclosed. We did, however, find an exploit with a PE-timestamp dated about one week after the patch was released, indicating that a working exploit might have been available even earlier. In total, we found two different exploits, both having several versions. In both cases, the developers sell exploits privately and do not share them on GitHub or other online platforms.\n\nWhat is particularly interesting about these exploits is that they support a variety of Windows versions. This is something we usually see in commercial exploits. But the exploits have more in common: the two share a lot of debug messages. Because of these debug messages and the overall design of one of the exploits, we were able to link it to the other exploit for a much older vulnerability in the CLFS driver. In fact, we can say that the older exploit was reused for the newer vulnerability.\n\nFinally, it is worth mentioning that one of the exploits was used in the wild during an attack on a large retailer in the APAC region.\n\n## Conclusion\n\nIn this blogpost, we stepped away \u2014 even though just slightly \u2014 from solely covering ransomware. Although ransomware is still one of the biggest threats to organizations, one should realize how these attacks actually take place. Quite often criminals use exploits for which patches are already available, simply because the affected organizations do not have an optimal patching policy.\n\nProper threat intelligence can help organizations to protect themselves against these types of threats, despite a non-ideal policy. For example, as we highlighted in this blogpost, criminals sometimes reuse older exploit code for newer vulnerabilities. Properly written Yara rules help to catch these newer exploits. Also, discussing TTPs and what is currently popular amongst ransomware groups helps organizations to make better-informed decisions on how to protect their environments.\n\nFor any questions about our private reports, please contact [crimewareintel@kaspersky.com](<mailto:crimewareintel@kaspersky.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T10:00:13", "type": "securelist", "title": "Ransomware updates & 1-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-08-24T10:00:13", "id": "SECURELIST:0921F9EC2DCA9018B105FA6E05CEE477", "href": "https://securelist.com/ransomware-updates-1-day-exploits/107291/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-30T12:08:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/17134132/abstract_binary_brain_report-990x400.jpg)\n\n * [IT threat evolution in Q3 2022](<https://securelist.com/it-threat-evolution-q3-2022/107957/>)\n * **IT threat evolution in Q3 2022. Non-mobile statistics**\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2022:\n\n * Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.\n * Web Anti-Virus recognized 251,288,987 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.\n * Ransomware attacks were defeated on the computers of 72,941 unique users.\n * Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Number of users attacked by banking malware\n\nIn Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154318/01-en-malware-report-q3-2022-pc-stat.png>))_\n\n### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 33.2 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.2 \n3 | IcedID | Trojan-Banker.Win32.IcedID | 10.0 \n4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.8 \n5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.8 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.1 \n7 | RTM | Trojan-Banker.Win32.RTM | 1.9 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.4 \n9 | Tinba/TinyBanker | Trojan-Banker.Win32.Tinba | 1.4 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of financial malware attacks\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.7 \n2 | Afghanistan | 4.6 \n3 | Paraguay | 2.8 \n4 | Tajikistan | 2.8 \n5 | Yemen | 2.3 \n6 | Sudan | 2.3 \n7 | China | 2.0 \n8 | Switzerland | 2.0 \n9 | Egypt | 1.9 \n10 | Venezuela | 1.8 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nThe third quarter of 2022 saw the builder for LockBit, a well-known ransomware, [leaked online](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/>). LockBit themselves attributed the leakage to one of their developers' personal initiative, not the group's getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy [spotted back in May](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>). A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.\n\nMass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The [former](<https://www.qnap.com/en/security-advisory/QSA-22-21>) threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter [attacked](<https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version>) devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.\n\nThe United States Department of Justice [announced](<https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors>) that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely [used](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) by the North Korean operators Andariel. The DOJ said victims had started getting their money back.\n\nThe creators of the little-known AstraLocker and Yashma ransomware [published](<https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/>) decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.\n\n### Number of new modifications\n\nIn Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.\n\n_Number of new ransomware modifications, Q3 2021 \u2014 Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154421/03-en-ru-es-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154500/04-en-malware-report-q3-2022-pc-stat.png>))_\n\n**TOP 10 most common families of ransomware Trojans**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of attacked users\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.66 \n2 | Yemen | 1.30 \n3 | South Korea | 0.98 \n4 | Taiwan | 0.77 \n5 | Mozambique | 0.64 \n6 | China | 0.52 \n7 | Colombia | 0.43 \n8 | Nigeria | 0.40 \n9 | Pakistan | 0.39 \n10 | Venezuela | 0.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.46 \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data. \n** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June's figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.\n\n_Number of new miner modifications, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154533/06-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.\n\n_Number of unique users attacked by miners, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154601/07-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Geography of miner attacks\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.38 \n2 | Kazakhstan | 2.13 \n3 | Uzbekistan | 2.01 \n4 | Rwanda | 1.93 \n5 | Tajikistan | 1.83 \n6 | Venezuela | 1.78 \n7 | Kyrgyzstan | 1.73 \n8 | Mozambique | 1.57 \n9 | Tanzania | 1.56 \n10 | Ukraine | 1.54 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nQ3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let's begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: [CVE-2022-30220](<https://nvd.nist.gov/vuln/detail/CVE-2022-30220>), along with [CVE-2022-35803](<https://nvd.nist.gov/vuln/detail/CVE-2022-35803>) and [CVE-2022-37969](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>), both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: [CVE-2022-22022](<https://nvd.nist.gov/vuln/detail/CVE-2022-22022>), [CVE-2022-30206](<https://nvd.nist.gov/vuln/detail/CVE-2022-30206>), and [CVE-2022-30226](<https://nvd.nist.gov/vuln/detail/CVE-2022-30226>). These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation ([CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>), [CVE-2022-22049](<https://nvd.nist.gov/vuln/detail/CVE-2022-22049>), and [CVE-2022-22026](<https://nvd.nist.gov/vuln/detail/CVE-2022-22026>)), while [CVE-2022-22038](<https://nvd.nist.gov/vuln/detail/CVE-2022-22038>) affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including [CVE-2022-22034](<https://nvd.nist.gov/vuln/detail/CVE-2022-22034>) and [CVE-2022-35750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35750>), which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, [CVE-2022-34713](<https://nvd.nist.gov/vuln/detail/CVE-2022-34713>) and [CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>), which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.\n\nMost of the network threats detected in Q3 2022 were again attacks associated with [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library ([CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), and [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/cve-2021-45105>)) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are [CVE-2022-22028](<https://nvd.nist.gov/vuln/detail/CVE-2022-22028>), which can lead to leakage of confidential information, as well as [CVE-2022-22029](<https://nvd.nist.gov/vuln/detail/CVE-2022-22029>), [CVE-2022-22039](<https://nvd.nist.gov/vuln/detail/CVE-2022-22039>) and [CVE-2022-34715](<https://nvd.nist.gov/vuln/detail/CVE-2022-34715>), which a cybercriminal can use to remotely execute arbitrary code in the system \u2014 in kernel context \u2014 by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability [CVE-2022-34718](<https://nvd.nist.gov/vuln/detail/CVE-2022-34718>), which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the [CVE-2022-34724](<https://nvd.nist.gov/vuln/detail/CVE-2022-34724>) vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.\n\nTwo vulnerabilities in Microsoft Exchange Server, [CVE-2022-41040](<https://nvd.nist.gov/vuln/detail/CVE-2022-41040>) and [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082>), received considerable media coverage. They were collectively dubbed "ProxyNotShell" in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.\n\n### Vulnerability statistics\n\nIn Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections \u2014 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:\n\n * [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;\n * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), which allows downloading and running malicious script files;\n * [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>), also known as "Follina", which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;\n * [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154631/09-en-malware-report-q3-2022-pc-stat.png>))_\n\nThese were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:\n\n * [CVE-2022-2294](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>), in the WebRTC component, which leads to buffer overflow;\n * [CVE-2022-2624](<https://nvd.nist.gov/vuln/detail/CVE-2022-2624>), which exploits a memory overflow error in the PDF viewing component;\n * [CVE-2022-2295](<https://nvd.nist.gov/vuln/detail/CVE-2022-2295>), a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;\n * [CVE-2022-3075](<https://nvd.nist.gov/vuln/detail/CVE-2022-3075>), an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.\n\nSince many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.\n\nA series of vulnerabilities were identified in Microsoft Edge. Worth noting is [CVE-2022-33649](<https://nvd.nist.gov/vuln/detail/CVE-2022-33649>), which allows running an application in the system by circumventing the browser protections; [CVE-2022-33636](<https://nvd.nist.gov/vuln/detail/CVE-2022-33636>) and [CVE-2022-35796](<https://nvd.nist.gov/vuln/detail/CVE-2022-35796>), Race Condition vulnerabilities that ultimately allow a sandbox escape; and [CVE-2022-38012](<https://nvd.nist.gov/vuln/detail/CVE-2022-38012>), which exploits an application memory corruption error, with similar results.\n\nThe Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: [CVE-2022-38476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476>), a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities [CVE-2022-38477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477>) and [CVE-2022-38478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478>), which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.\n\nThe remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.\n\n## Attacks on macOS\n\nThe third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries. In particular, researchers found [Operation In(ter)ception](<https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/>), a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.\n\n[CloudMensis](<https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/>), a spy program written in Objective-C, used cloud storage services as C&C servers and [shared several characteristics](<https://twitter.com/ESETresearch/status/1575103839115804672>) with the RokRAT Windows malware operated by ScarCruft.\n\nThe creators of XCSSET [adapted](<https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/>) their toolset to macOS Monterey and migrated from Python 2 to Python 3.\n\nIn Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake [VPN application](<https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/>) and fake [Salesforce updates](<https://twitter.com/ESETresearch/status/1547943014860894210>), both built on the Sliver framework.\n\nIn addition to this, researchers announced a new multi-platform [find](<https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/>): the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.\n\n### TOP 20 threats for macOS\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 14.77 \n2 | AdWare.OSX.Pirrit.ac | 10.45 \n3 | AdWare.OSX.Agent.ai | 9.40 \n4 | Monitor.OSX.HistGrabber.b | 7.15 \n5 | AdWare.OSX.Pirrit.j | 7.10 \n6 | AdWare.OSX.Bnodlero.at | 6.09 \n7 | AdWare.OSX.Bnodlero.ax | 5.95 \n8 | Trojan-Downloader.OSX.Shlayer.a | 5.71 \n9 | AdWare.OSX.Pirrit.ae | 5.27 \n10 | Trojan-Downloader.OSX.Agent.h | 3.87 \n11 | AdWare.OSX.Bnodlero.bg | 3.46 \n12 | AdWare.OSX.Pirrit.o | 3.32 \n13 | AdWare.OSX.Agent.u | 3.13 \n14 | AdWare.OSX.Agent.gen | 2.90 \n15 | AdWare.OSX.Pirrit.aa | 2.85 \n16 | Backdoor.OSX.Twenbc.e | 2.85 \n17 | AdWare.OSX.Ketin.h | 2.82 \n18 | AdWare.OSX.Pirrit.gen | 2.69 \n19 | Trojan-Downloader.OSX.Lador.a | 2.52 \n20 | Downloader.OSX.InstallCore.ak | 2.28 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as "Advanced Mac Cleaner," had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.\n\n### Geography of threats for macOS\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 1.71 \n2 | Canada | 1.70 \n3 | Russia | 1.57 \n4 | India | 1.53 \n5 | United States | 1.52 \n6 | Spain | 1.48 \n7 | Australia | 1.36 \n8 | Italy | 1.35 \n9 | Mexico | 1.27 \n10 | United Kingdom | 1.24 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nFrance, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.\n\nTelnet | 75.92% \n---|--- \nSSH | 24.08% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022_\n\nA majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.\n\nTelnet | 97.53% \n---|--- \nSSH | 2.47% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022_\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 28.67 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 18.63 \n3 | Backdoor.Linux.Mirai.ba | 11.63 \n4 | Backdoor.Linux.Mirai.cw | 10.94 \n5 | Backdoor.Linux.Gafgyt.a | 3.69 \n6 | Backdoor.Linux.Mirai.ew | 3.49 \n7 | Trojan-Downloader.Shell.Agent.p | 2.56 \n8 | Backdoor.Linux.Gafgyt.bj | 1.63 \n9 | Backdoor.Linux.Mirai.et | 1.17 \n10 | Backdoor.Linux.Mirai.ek | 1.08 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics are published in the DDoS report for Q3 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources country and territory, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154703/11-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **_Malware_**_ class_; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 19.65 \n2 | Belarus | 17.01 \n3 | Serbia | 15.05 \n4 | Russia | 14.12 \n5 | Algeria | 14.01 \n6 | Turkey | 13.82 \n7 | Tunisia | 13.31 \n8 | Bangladesh | 13.30 \n9 | Moldova | 13.22 \n10 | Palestine | 12.61 \n11 | Yemen | 12.58 \n12 | Ukraine | 12.25 \n13 | Libya | 12.23 \n14 | Sri Lanka | 11.97 \n15 | Kyrgyzstan | 11.69 \n16 | Estonia | 11.65 \n17 | Hong Kong | 11.52 \n18 | Nepal | 11.52 \n19 | Syria | 11.39 \n20 | Lithuania | 11.33 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 9.08% of internet users' computers worldwide were subjected to at least one **Malware**-class web attack.\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2022, our File Anti-Virus detected **49,275,253** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThese rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 46.48 \n2 | Yemen | 45.12 \n3 | Afghanistan | 44.18 \n4 | Cuba | 40.48 \n5 | Tajikistan | 39.17 \n6 | Bangladesh | 37.06 \n7 | Uzbekistan | 37.00 \n8 | Ethiopia | 36.96 \n9 | South Sudan | 36.89 \n10 | Myanmar | 36.64 \n11 | Syria | 34.82 \n12 | Benin | 34.56 \n13 | Burundi | 33.91 \n14 | Tanzania | 33.05 \n15 | Rwanda | 33.03 \n16 | Chad | 33.01 \n17 | Venezuela | 32.79 \n18 | Cameroon | 32.30 \n19 | Sudan | 31.93 \n20 | Malawi | 31.88 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\nOn average worldwide, Malware-class local threats were registered on 14.74% of users' computers at least once during Q3. Russia scored 16.60% in this ranking.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-18T08:10:34", "type": "securelist", "title": "IT threat evolution in Q3 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-40444", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-22022", "CVE-2022-22026", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2624", "CVE-2022-30190", "CVE-2022-30206", "CVE-2022-30220", "CVE-2022-30226", "CVE-2022-3075", "CVE-2022-33636", "CVE-2022-33649", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-34718", "CVE-2022-34724", "CVE-2022-35743", "CVE-2022-35750", "CVE-2022-35796", "CVE-2022-35803", "CVE-2022-37969", "CVE-2022-38012", "CVE-2022-38476", "CVE-2022-38477", "CVE-2022-38478", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-18T08:10:34", "id": "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "href": "https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-15T16:13:15", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15093042/abstract_digital_report-990x400.jpg)\n\n * [IT threat evolution in Q2 2022](<https://securelist.com/it-threat-evolution-q2-2022/107099/>)\n * **IT threat evolution in Q2 2022. Non-mobile statistics**\n * [IT threat evolution in Q2 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q2-2022-mobile-statistics/107123/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2022:\n\n * Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.\n * Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.\n * Ransomware attacks were defeated on the computers of 74,377 unique users.\n * Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025224/01-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025321/02-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.8 \n2 | Afghanistan | 4.3 \n3 | Tajikistan | 3.8 \n4 | Paraguay | 3.1 \n5 | China | 2.4 \n6 | Yemen | 2.4 \n7 | Uzbekistan | 2.2 \n8 | Sudan | 2.1 \n9 | Egypt | 2.0 \n10 | Mauritania | 1.9 \n \n_* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**TOP 10 banking malware families**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 35.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.8 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.4 \n4 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 6 \n5 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 \n7 | IcedID | Trojan-Banker.Win32.IcedID | 2.1 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.9 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 1.8 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.3 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nIn the second quarter, the Lockbit group [launched a bug bounty program](<https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/>). The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.\n\nAnother well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica's information systems, which prompted the government to [declare a state of emergency](<https://www.bleepingcomputer.com/news/security/costa-rica-declares-national-emergency-after-conti-ransomware-attacks/>). The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.\n\nWhile some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil's website went back online in April, and researchers [discovered](<https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/>) a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.\n\nKaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and [released a decryptor](<https://securelist.ru/how-to-recover-files-encrypted-by-yanluowang/105019/>) for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.\n\n### Number of new modifications\n\nIn Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2021 \u2014 Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025415/03-en-ru-es-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025443/04-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025517/05-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.81 \n2 | Yemen | 1.24 \n3 | South Korea | 1.11 \n4 | Mozambique | 0.82 \n5 | Taiwan | 0.70 \n6 | China | 0.46 \n7 | Pakistan | 0.40 \n8 | Angola | 0.37 \n9 | Venezuela | 0.33 \n10 | Egypt | 0.32 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 17.91 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.58 \n3 | Magniber | Trojan-Ransom.Win64.Magni | 9.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.91 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.75 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 6.55 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 3.51 \n8 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 3.02 \n9 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 2.96 \n10 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 2.69 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression \u2014 in March through May we found a total of no more than 10,000 new modifications \u2014 was followed by a record of sorts.\n\n_Number of new miner modifications, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025548/06-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.\n\n_Number of unique users attacked by miners, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025613/07-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025642/08-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Rwanda | 2.94 \n2 | Ethiopia | 2.67 \n3 | Tajikistan | 2.35 \n4 | Tanzania | 1.98 \n5 | Kyrgyzstan | 1.94 \n6 | Uzbekistan | 1.88 \n7 | Kazakhstan | 1.84 \n8 | Venezuela | 1.80 \n9 | Mozambique | 1.68 \n10 | Ukraine | 1.56 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nDuring Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, [CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: [CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>). By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>), also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.\n\nMost of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>)) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.\n\n### Vulnerability statistics\n\nExploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>)[or Follina vulnerability](<https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/>) also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim's computer, can cause an arbitrary command to be executed \u2014 even if macros are disabled and the document is opened in Protected Mode.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025713/09-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\nAttempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: [CVE-2022-0609](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0609>), [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>), and [CVE-2022-1364](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1364>). The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, [CVE-2022-1097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097>), which appears when processing NSSToken-type objects from different streams. The browser was also found to contain [CVE-2022-28281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281>), a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, [CVE-2022-1802](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/>) and [CVE-2022-1529](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/>), were exploited in cybercriminal attacks. The exploitation method, dubbed "prototype pollution", allows executing arbitrary JavaScript code in the context of a privileged parent browser process.\n\nAs in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.\n\n## Attacks on macOS\n\nThe second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group [Earth Berberoka](<https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html>) (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The [TraderTraitor](<https://www.cisa.gov/uscert/ncas/alerts/aa22-108a>) campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 25.61 \n2 | AdWare.OSX.Agent.ai | 12.08 \n3 | AdWare.OSX.Pirrit.j | 7.84 \n4 | AdWare.OSX.Pirrit.ac | 7.58 \n5 | AdWare.OSX.Pirrit.o | 6.48 \n6 | Monitor.OSX.HistGrabber.b | 5.27 \n7 | AdWare.OSX.Agent.u | 4.27 \n8 | AdWare.OSX.Bnodlero.at | 3.99 \n9 | Trojan-Downloader.OSX.Shlayer.a | 3.87 \n10 | Downloader.OSX.Agent.k | 3.67 \n11 | AdWare.OSX.Pirrit.aa | 3.35 \n12 | AdWare.OSX.Pirrit.ae | 3.24 \n13 | Backdoor.OSX.Twenbc.e | 3.16 \n14 | AdWare.OSX.Bnodlero.ax | 3.06 \n15 | AdWare.OSX.Agent.q | 2.73 \n16 | Trojan-Downloader.OSX.Agent.h | 2.52 \n17 | AdWare.OSX.Bnodlero.bg | 2.42 \n18 | AdWare.OSX.Cimpli.m | 2.41 \n19 | AdWare.OSX.Pirrit.gen | 2.08 \n20 | AdWare.OSX.Agent.gen | 2.01 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025743/10-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 2.93 \n2 | Canada | 2.57 \n3 | Spain | 2.51 \n4 | United States | 2.45 \n5 | India | 2.24 \n6 | Italy | 2.21 \n7 | Russian Federation | 2.13 \n8 | United Kingdom | 1.97 \n9 | Mexico | 1.83 \n10 | Australia | 1.82 \n \n_* Excluded from the rating are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.\n\nTelnet | 82,93% \n---|--- \nSSH | 17,07% \n \n**_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022_**\n\nThe statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 93,75% \n---|--- \nSSH | 6,25% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 36.28 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 14.66 \n3 | Backdoor.Linux.Mirai.ek | 9.15 \n4 | Backdoor.Linux.Mirai.ba | 8.82 \n5 | Trojan.Linux.Agent.gen | 4.01 \n6 | Trojan.Linux.Enemybot.a | 2.96 \n7 | Backdoor.Linux.Agent.bc | 2.58 \n8 | Trojan-Downloader.Shell.Agent.p | 2.36 \n9 | Trojan.Linux.Agent.mg | 1.72 \n10 | Backdoor.Linux.Mirai.cw | 1.45 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q2-2022/107025/#attacks-on-iot-honeypots>) for Q2 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### TOP 10 countries and territories that serve as sources of web-based attacks\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025818/11-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **Malware** class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 26.07 \n2 | Hong Kong | 14.60 \n3 | Algeria | 14.40 \n4 | Nepal | 14.00 \n5 | Tunisia | 13.55 \n6 | Serbia | 12.88 \n7 | Sri Lanka | 12.41 \n8 | Albania | 12.21 \n9 | Bangladesh | 11.98 \n10 | Greece | 11.86 \n11 | Palestine | 11.82 \n12 | Qatar | 11.50 \n13 | Moldova | 11.47 \n14 | Yemen | 11.44 \n15 | Libya | 11.34 \n16 | Zimbabwe | 11.15 \n17 | Morocco | 11.03 \n18 | Estonia | 11.01 \n19 | Turkey | 10.75 \n20 | Mongolia | 10.50 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 8.31% of the Internet users' computers worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025917/12-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2022, our File Anti-Virus detected **55,314,176** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.\n\nNote that these rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 47.54 \n2 | Tajikistan | 44.91 \n3 | Afghanistan | 43.19 \n4 | Yemen | 43.12 \n5 | Cuba | 42.71 \n6 | Ethiopia | 41.08 \n7 | Uzbekistan | 37.91 \n8 | Bangladesh | 37.90 \n9 | Myanmar | 36.97 \n10 | South Sudan | 36.60 \n11 | Syria | 35.60 \n12 | Burundi | 34.88 \n13 | Rwanda | 33.69 \n14 | Algeria | 33.61 \n15 | Benin | 33.60 \n16 | Tanzania | 32.88 \n17 | Malawi | 32.65 \n18 | Venezuela | 31.79 \n19 | Cameroon | 31.34 \n20 | Chad | 30.92 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025948/13-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\nOn average worldwide, Malware-class local threats were registered on 14.65% of users' computers at least once during Q2. Russia scored 16.66% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-15T12:00:43", "type": "securelist", "title": "IT threat evolution in Q2 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-44228", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1097", "CVE-2022-1364", "CVE-2022-1529", "CVE-2022-1802", "CVE-2022-22965", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24521", "CVE-2022-26809", "CVE-2022-26925", "CVE-2022-28281", "CVE-2022-30190"], "modified": "2022-08-15T12:00:43", "id": "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "href": "https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-03T14:43:38", "description": "BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-31T22:15:00", "type": "cve", "title": "CVE-2022-32984", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-32984"], "modified": "2023-02-08T22:22:00", "cpe": ["cpe:/a:btcpayserver:btcpay_server:1.5.3"], "id": "CVE-2022-32984", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32984", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:btcpayserver:btcpay_server:1.5.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:50:30", "description": "Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-35805", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-35805"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/a:microsoft:dynamics_365:9.1", "cpe:/a:microsoft:dynamics_365:9.0"], "id": "CVE-2022-35805", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35805", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:dynamics_365:9.1:*:*:*:on-premises:*:*:*", "cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"]}, {"lastseen": "2023-06-03T14:43:15", "description": "An out-of-bounds read issue was addressed with improved bounds checking. This issue is fixed in watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. An app may be able to disclose kernel memory.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-09-23T19:15:00", "type": "cve", "title": "CVE-2022-32817", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-32817"], "modified": "2023-01-09T16:41:00", "cpe": [], "id": "CVE-2022-32817", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32817", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-06-03T14:43:38", "description": "Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-06-20T16:15:00", "type": "cve", "title": "CVE-2022-32983", "cwe": ["CWE-290"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-32983"], "modified": "2022-06-27T18:34:00", "cpe": ["cpe:/a:nic:knot_resolver:5.5.1"], "id": "CVE-2022-32983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32983", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:nic:knot_resolver:5.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:48:09", "description": "Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-34700", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34700"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/a:microsoft:dynamics_365:9.1", "cpe:/a:microsoft:dynamics_365:9.0"], "id": "CVE-2022-34700", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34700", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:dynamics_365:9.1:*:*:*:on-premises:*:*:*", "cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"]}, {"lastseen": "2023-06-03T14:48:12", "description": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-34722", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34722"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-34722", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34722", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:azure:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:48:11", "description": "Windows TCP/IP Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-34718", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34718"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-34718", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34718", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:azure:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:50:30", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-35803", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-35803"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-35803", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35803", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:azure:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:48:12", "description": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-34721", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34721"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-34721", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34721", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:azure:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:55:18", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T19:15:00", "type": "cve", "title": "CVE-2022-37969", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37969"], "modified": "2023-04-11T21:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-37969", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37969", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:rt:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:azure:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*"]}, {"lastseen": "2023-06-10T14:34:25", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24521", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-22T15:26:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_rt_8.1:-"], "id": "CVE-2022-24521", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-10T14:34:16", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24521.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24481", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-22T16:46:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_rt_8.1:-"], "id": "CVE-2022-24481", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24481", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}], "cnvd": [{"lastseen": "2022-09-16T17:40:06", "description": "Microsoft Dynamics is a suite of ERP business solutions for multinational companies from Microsoft Corporation (USA). The product includes financial management, production management and business intelligence management, etc. Microsoft Dynamics has a security vulnerability. No details of the vulnerability are available at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cnvd", "title": "Microsoft Dynamics CRM Remote Code Execution Vulnerability (CNVD-2022-63616)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-35805"], "modified": "2022-09-16T00:00:00", "id": "CNVD-2022-63616", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-63616", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-16T17:40:09", "description": "Microsoft Dynamics is a suite of ERP business solutions for multinational companies from Microsoft Corporation (USA). The product includes financial management, production management and business intelligence management, etc. Microsoft Dynamics has a security vulnerability. No details of the vulnerability are available at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cnvd", "title": "Microsoft Dynamics CRM Remote Code Execution Vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-34700"], "modified": "2022-09-16T00:00:00", "id": "CNVD-2022-63617", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-63617", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-16T17:40:04", "description": "Microsoft Windows is a set of operating systems for personal devices from Microsoft Corporation (USA).A security vulnerability exists in Microsoft Windows IKE Extension. No details of the vulnerability are currently available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows has an unspecified vulnerability (CNVD-2022-63614)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-34722"], "modified": "2022-09-16T00:00:00", "id": "CNVD-2022-63614", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-63614", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-29T14:57:03", "description": "Microsoft Windows TCP/IP component is a component of Microsoft Corporation (USA) that provides TCP/IP configuration functionality for Windows.A security vulnerability exists in Microsoft Windows TCP/IP. An unauthenticated attacker could send specially crafted IPv6 packets to a host running Windows with IPSec services enabled, allowing remote execution of arbitrary code on the target host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows TCP/IP Remote Code Execution Vulnerability (CNVD-2022-63613)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-34718"], "modified": "2022-11-27T00:00:00", "id": "CNVD-2022-63613", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-63613", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-16T17:40:06", "description": "Microsoft Windows is a set of operating systems for personal devices from Microsoft Corporation (USA).A security vulnerability exists in Microsoft Windows IKE Extension. No details of the vulnerability are currently available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Internet has an unspecified vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-34721"], "modified": "2022-09-16T00:00:00", "id": "CNVD-2022-63615", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-63615", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-16T17:40:09", "description": "Microsoft Windows Common Log File System Driver is a Microsoft Corporation Common Log File System (CLFS) API that provides a high-performance, common log file subsystem that can be used by dedicated client applications and shared by multiple clients to optimize log access. A security vulnerability exists in the Microsoft Windows Common Log File System Driver. No details of the vulnerability are currently available.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Common Log File System Driver has an unspecified vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-37969"], "modified": "2022-09-16T00:00:00", "id": "CNVD-2022-63618", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-63618", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-10T21:56:04", "description": "Microsoft Windows Common Log File System Driver is a Microsoft Corporation Common Log File System (CLFS) API that provides a high-performance, common log file subsystem that can be used by dedicated client applications and shared by multiple clients to optimize log access. An elevation-of-privilege vulnerability exists in the Microsoft Windows Common Log File System Driver. An attacker could exploit this vulnerability to execute arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "cnvd", "title": "Microsoft Windows Common Log File System Driver\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-09-10T00:00:00", "id": "CNVD-2022-62521", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-62521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-06-03T14:58:54", "description": "Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-35805"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-35805", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35805", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:58:51", "description": "Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34700"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-34700", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34700", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:58:49", "description": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34722"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-34722", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34722", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:58:49", "description": "Windows TCP/IP Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows TCP/IP Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34718"], "modified": "2022-09-23T07:00:00", "id": "MS:CVE-2022-34718", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:58:54", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-35803", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35803", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:58:49", "description": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34721"], "modified": "2022-09-23T07:00:00", "id": "MS:CVE-2022-34721", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34721", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:58:45", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mscve", "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37969"], "modified": "2022-09-13T07:00:00", "id": "MS:CVE-2022-37969", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T15:20:25", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24521", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T15:20:16", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24521.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-12T08:00:00", "id": "MS:CVE-2022-24481", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24481", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-06-04T13:20:40", "description": "Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an\nattempt to limit forwarding actions by filters.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[ccdm94](<https://launchpad.net/~ccdm94>) | there seems to be no fix for this issue, only a documentation update in commit ccb9d979.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-06-20T00:00:00", "type": "ubuntucve", "title": "CVE-2022-32983", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-32983"], "modified": "2022-06-20T00:00:00", "id": "UB:CVE-2022-32983", "href": "https://ubuntu.com/security/CVE-2022-32983", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-06-03T14:40:44", "description": "Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-06-20T16:15:00", "type": "debiancve", "title": "CVE-2022-32983", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-32983"], "modified": "2022-06-20T16:15:00", "id": "DEBIANCVE:CVE-2022-32983", "href": "https://security-tracker.debian.org/tracker/CVE-2022-32983", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "mskb": [{"lastseen": "2023-05-19T10:54:19", "description": "None\nDynamics 365\n\n## Introduction\n\nService Update 9.0.40 for Microsoft Dynamics CRM (on-premises) 9.0 is now available. This article describes the hotfixes and updates that are included in Service Update 9.0.40.\n\n## More information\n\nUpdate package| Version Number \n---|--- \nService Update 0.40 for Microsoft Dynamics CRM (on-premises) 9.0| 9.0.40.5 \nTo determine whether your organization had this update applied, check your Microsoft Dynamics CRM Online version number. Select the gear icon in the upper-right corner, and then select About.\n\n### **Update information**\n\nMicrosoft Dynamics 365 (on-premises) Update 0.40 is now available.The following file is available for download from the Microsoft Download Center:[Download the Microsoft Dynamics 365 (on-premises) Update 0.40 package now.](<https://www.microsoft.com/en-us/download/details.aspx?id=104484>)\n\n### Service Update 0.40 resolves the following issues\n\n**Repaired functionality**The following list details items in Dynamics that were not functioning but are now repaired:\n\n * Localization Fixes.\n * Security Fixes.\nNote: An asterisk (*) at the end of a fix statement denotes that this repair item was incorporated into multiple service update releases.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "Service-Update-0.40-for-Microsoft-Dynamics CRM ( on-premises)-9.0", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34700"], "modified": "2022-09-13T07:00:00", "id": "KB5017524", "href": "https://support.microsoft.com/en-us/help/5017524", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:14", "description": "None\nDynamics 365\n\n## Introduction\n\nService Update 9.1.12 for Microsoft Dynamics CRM (on-premises) 9.1 is now available. This article describes the hotfixes and updates that are included in Service Update 9.1.12.\n\n## More information\n\nUpdate package| Version Number \n---|--- \nService Update 1.12 for Microsoft Dynamics CRM (on-premises) 9.1 | 9.1.12.17 \nTo determine whether your organization had this update applied, check your Microsoft Dynamics CRM Online version number. Select the gear icon in the upper-right corner, and then select About.\n\n### **Update information**\n\nMicrosoft Dynamics 365 (on-premises) Update 1.12 is now available.The following file is available for download from the Microsoft Download Center:[Download the Microsoft Dynamics 365 (on-premises) Update 1.12 package now](<https://www.microsoft.com/en-us/download/details.aspx?id=104483>)\n\n### Service Update 1.12 resolves the following issues\n\n**Repaired functionality**The following list details items in Dynamics that were not functioning but are now repaired:\n\n * When changing first week of year setting, charts in UCI will be grouped correctly as the web client behaves.\n * When trying to create a Quick Campaign of type email in UCI of On-Premise, The Text editor of email is not getting loaded and Customer is not able to insert anything in the body of the email.\n * Accessibility fixes. \n * Security fixes.\nNote: An asterisk (*) at the end of a fix statement denotes that this repair item was incorporated into multiple service update releases.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "Service Update 1.12 for Microsoft Dynamics CRM (on-premises) 9.1", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34700"], "modified": "2022-09-13T07:00:00", "id": "KB5017226", "href": "https://support.microsoft.com/en-us/help/5017226", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:14", "description": "None\n**8/26/22** \n**REMINDER **Windows Server, version 20H2 reached end of service on August 9, 2022. After August 9, 2022, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows Server.We will continue to service the following editions: Windows 10 Enterprise and Education, Windows 10 IoT Enterprise, Windows 10 Enterprise multi-session, and Windows 10 on Surface Hub. \n\n**5/10/22** \n**REMINDER **To update to one of the newer versions of Windows 10, we recommend that you use the appropriate Enablement Package KB (EKB). Using the EKB makes updating faster and easier and requires a single restart. To find the EKB for a specific OS, go to the **Improvements** section and click or tap the OS name to expand the collapsible section. \n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 10, version 20H2, see its update history page. **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the Windows release health dashboard.\n\n## Highlights\n\n * Addresses security issues for your Windows operating system. \n\n## Improvements \n\n**Note **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10, version 21H2\n\n**Important: **Use EKB KB5003791 to update to Windows 10, version 21H2.\n\nThis security update includes quality improvements. Key changes include: \n\n * This build includes all the improvements from the supported Windows 10, version 20H2 editions.\n * No additional issues were documented for this release. \n\n### \n\n__\n\nWindows 10, version 21H1\n\n**Important: **Use EKB KB5000736 to update to Windows 10, version 21H1.\n\nThis security update includes quality improvements. Key changes include: \n\n * This build includes all the improvements from the supported Windows 10, version 20H2 editions.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2 editions: Windows 10 Enterprise Multi-Session, Windows 10 Enterprise and Education, Windows 10 IoT Enterprise\n\n**Important: **Use EKB KB4562830 to update to Windows Server, version 20H2.\n\nThis security update includes improvements that were a part of update KB5016688 (released August 26, 2022) and also addresses the following issues: \n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>). \n\n### Windows 10 servicing stack update - 19042.1940, 19043.1940, and 19044.1940\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \n| \nAfter installing this update, XPS Viewer might be unable to open XML Paper Specification (XPS) documents in some non-English languages, including some Japanese and Chinese character encodings. This issue affects both XML Paper Specification (XPS) and Open XML Paper Specification (OXPS) files. When encountering this issue, you may receive an error, \"This page cannot be displayed\" within XPS Viewer or it might stop responding and have high CPU usage with continually increasing memory usage. When the error is encountered, if XPS Viewer is not closed it might reach up to 2.5GB of memory usage before closing unexpectedly.This issue does not affect most home users. The [XPS Viewer is no longer installed by default as of Windows 10, version 1803](<https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features>) and [must be manually installed](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fapplication-management%2Fadd-apps-and-features&data=05%7C01%7Cv-shros%40microsoft.com%7Cf67e41cad4af4dcf09ac08da79a42805%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637956043196783103%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mAxvq%2BP02NuUNLL2Heb2Ukgr1KQwfN5Gs0xwQBs5egY%3D&reserved=0>).| This issue is addressed in KB5017380. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is addressed in KB5017380. \nAfter installing this update, file copies using [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences **> **Windows Settings** in Group Policy Editor.| This issue was addressed in KB5018410. Installation of this update prevents and resolves this issue, but if any workaround was used to mitigate this issue, it will need to be changed back to the original configuration. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>).Prerequisite:Based on your installation scenario, choose one of the following:\n\n 1. For offline OS image servicing:If your image does not have the March 22, 2022 (KB5011543) or later LCU, you **must **install the special standalone May 10, 2022 SSU (KB5014032) before installing this update.\n 2. For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog: If your devices do not have the May 11, 2021 (KB5003173) or later LCU, you **must **install the special standalone August 10, 2021 SSU (KB5005260) before installing this update.\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017308>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5017308](<https://download.microsoft.com/download/a/f/c/afcd607b-e9da-487e-a462-e51a8f66099d/5017308.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19042.1940, 19043.1940, and 19044.1940](<https://download.microsoft.com/download/7/f/e/7fe2ea72-c849-41c6-80d0-a17ab27cd91b/SSU_version_19041_1940.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017308 (OS Builds 19042.2006, 19043.2006, and 19044.2006)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017308", "href": "https://support.microsoft.com/en-us/help/5017308", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:16", "description": "None\n## **Summary**\n\nLearn more about this cumulative security update, including improvements, any known issues, and how to get the update.\n\n**IMPORTANT **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).Verify that** **you have installed the required updates in the **How to get this update** section before installing this update. Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ended on January 14, 2020. For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>). Because ESU is available as a separate SKU for each of the years in which they are offered (2020, 2021, and 2022)\u2014and because ESU can only be purchased in [specific 12-month periods](<https://docs.microsoft.com/lifecycle/faq/extended-security-updates>)\u2014you must purchase the third year of ESU coverage separately and activate a new key on each applicable device for your devices to continue receiving security updates in 2022.If your organization did not purchase the third year of ESU coverage, you must purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows Server 2008 SP2 devices before you install and activate the Year 3 MAK keys to receive updates. The steps to [install, activate, and deploy ESUs](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) are the same for first, second, and third year coverage. For more information, see [Obtaining Extended Security Updates for eligible Windows devices](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) for the Volume Licensing process and [Purchasing Windows 7 ESUs as a Cloud Solution Provider](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/purchasing-windows-7-esus-as-a-cloud-solution-provider/ba-p/1034637>) for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).For more information, see the [ESU blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-extended-security-updates-for-windows-7-and-windows/ba-p/1872910>).\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages for Windows Server 2008 SP2, see the following update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements**\n\nThis cumulative security update contains improvements that are part of update [KB5016669](<https://support.microsoft.com/help/5016669>) (released August 9, 2022) and includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n\u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.| This issue is resolved in update [KB5018450](<https://support.microsoft.com/help/5018450>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018450](<https://support.microsoft.com/help/5018450>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates because extended support ended on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB5016129](<https://support.microsoft.com/help/5016129>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017358>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017358](<https://download.microsoft.com/download/a/1/6/a16a2df4-093e-4c2e-85af-8e481452848f/5017358.csv>).\n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017358 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017358", "href": "https://support.microsoft.com/en-us/help/5017358", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:16", "description": "None\n## **Summary**\n\nLearn more about this cumulative security update, including improvements, any known issues, and how to get the update.\n\n**IMPORTANT **Windows 7, Windows Server 2008 R2, Windows Embedded Standard 7, and Windows Embedded POS Ready 7 have reached the end of mainstream support and are now in extended security update (ESU) support. Windows Thin PC has reached the end of mainstream support; however, ESU support is not available. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).Verify that** **you have installed the required updates in the **How to get this update** section before installing this update. Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ended on January 14, 2020. For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>). Because ESU is available as a separate SKU for each of the years in which they are offered (2020, 2021, and 2022)\u2014and because ESU can only be purchased in [specific 12-month periods](<https://docs.microsoft.com/lifecycle/faq/extended-security-updates>)\u2014you must purchase the third year of ESU coverage separately and activate a new key on each applicable device for your devices to continue receiving security updates in 2022.If your organization did not purchase the third year of ESU coverage, you must purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows 7 SP1 or Windows Server 2008 R2 SP1 devices before you install and activate the Year 3 MAK keys to receive updates. The steps to [install, activate, and deploy ESUs](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) are the same for first, second, and third year coverage. For more information, see [Obtaining Extended Security Updates for eligible Windows devices](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) for the Volume Licensing process and [Purchasing Windows 7 ESUs as a Cloud Solution Provider](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/purchasing-windows-7-esus-as-a-cloud-solution-provider/ba-p/1034637>) for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).For more information, see the [ESU blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-extended-security-updates-for-windows-7-and-windows/ba-p/1872910>).\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages for Windows 7 and Windows Server 2008 R2, see the following update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements**\n\nThis cumulative security update contains improvements that are part of update [KB5016676](<https://support.microsoft.com/help/5016676>) (released August 9, 2022) and includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptom **| **Next step ** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n\u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.| This issue is resolved in update [KB5018454](<https://support.microsoft.com/help/5018454>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018454](<https://support.microsoft.com/help/5018454>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates. Extended support ended as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ended on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ended on October 13, 2020.\n * For Windows Embedded POS Ready 7, extended support ended on October 12, 2021.\n * For Windows Thin PC, extended support ended on October 12, 2021. Note that ESU support is not available for Windows Thin PC.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Prerequisite**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB5017397](<https://support.microsoft.com/help/5017397>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017361>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017361](<https://download.microsoft.com/download/6/f/f/6ff96d09-1ecb-4c51-bcda-70aa60227616/5017361.csv>).\n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017361 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017361", "href": "https://support.microsoft.com/en-us/help/5017361", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:17", "description": "None\n## **Summary**\n\nLearn more about this security-only update, including improvements, any known issues, and how to get the update.\n\n**IMPORTANT** Windows 7, Windows Server 2008 R2, Windows Embedded Standard 7, and Windows Embedded POS Ready 7 have reached the end of mainstream support and are now in extended security update (ESU) support. Windows Thin PC has reached the end of mainstream support; however, ESU support is not available. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).Verify that** **you have installed the required updates in the **How to get this update** section before installing this update. Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ended on January 14, 2020. For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>). Because ESU is available as a separate SKU for each of the years in which they are offered (2020, 2021, and 2022)\u2014and because ESU can only be purchased in [specific 12-month periods](<https://docs.microsoft.com/lifecycle/faq/extended-security-updates>)\u2014you must purchase the third year of ESU coverage separately and activate a new key on each applicable device for your devices to continue receiving security updates in 2022.If your organization did not purchase the third year of ESU coverage, you must purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows 7 SP1 or Windows Server 2008 R2 SP1 devices before you install and activate the Year 3 MAK keys to receive updates. The steps to [install, activate, and deploy ESUs](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) are the same for first, second, and third year coverage. For more information, see [Obtaining Extended Security Updates for eligible Windows devices](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) for the Volume Licensing process and [Purchasing Windows 7 ESUs as a Cloud Solution Provider](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/purchasing-windows-7-esus-as-a-cloud-solution-provider/ba-p/1034637>) for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).For more information, see the [ESU blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-extended-security-updates-for-windows-7-and-windows/ba-p/1872910>).\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages for Windows 7 SP1 and Windows Server 2008 R2 SP1, see the following update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements**\n\nThis security-only update includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is resolved in update [KB5018479](<https://support.microsoft.com/help/5018479>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018479](<https://support.microsoft.com/help/5018479>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates. Extended support ended as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ended on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ended on October 13, 2020.\n * For Windows Embedded POS Ready 7, extended support ended on October 12, 2021.\n * For Windows Thin PC, extended support ended on October 12, 2021. Note that ESU support is not available for Windows Thin PC.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB5017397](<https://support.microsoft.com/help/5017397>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).\n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5016618](<https://support.microsoft.com/help/5016618>)).\n\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017373>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017373](<https://download.microsoft.com/download/c/3/e/c3ee55a8-ad79-4b99-be54-6dac03465efe/5017373.csv>).\n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017373 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017373", "href": "https://support.microsoft.com/en-us/help/5017373", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:17", "description": "None\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.\n\n## How to get this update \n\n### Before installing this update \n\nMicrosoft now combines the latest servicing stack update (SSU) for your operating system with the hotpatch update. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update or Windows Server Update Services (WSUS), the latest SSU will be installed with this update.\n\n### Install this update\n\nRelease Channel| Available| Next Step \n---|---|--- \nWindows Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| No| To get the standalone package for this update, go to the Microsoft Update Catalog website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure Products and Classifications as follows:Product: Windows Server 2022 Datacenter: Azure Edition HotpatchClassification: Security Updates \n \n## File information\n\nFor a list of the files that are provided in this update, download the [file information for cumulative update 5017392](<https://download.microsoft.com/download/5/1/3/513f8daf-2d06-4f6a-9c8b-36b6277cb042/5017316.csv>).For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 20348.945](<https://download.microsoft.com/download/f/5/b/f5b9c564-cedf-4c7d-bf65-dacafb5c4853/SSU_version_20348_945.csv>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014 KB5017392 (OS Build 20348.916)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017392", "href": "https://support.microsoft.com/en-us/help/5017392", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:15", "description": "None\nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows Server 2022, see its update history page. **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the Windows release health dashboard. \n\n## Improvements\n\nThis security update includes improvements that were a part of update KB5016693 (released August 16, 2022) and also addresses the following issues: \n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.For more information about security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>)\n\n### Windows 10 servicing stack update - 20348.945\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is addressed in KB5017381. \nAfter installing this update, file copies using [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences **> **Windows Settings** in Group Policy Editor.| This issue was addressed in KB5018421. Installation of this update prevents and resolves this issue, but if any workaround was used to mitigate this issue, it will need to be changed back to the original configuration. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017316>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Microsoft Server operating system-21H2**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File Information**For a list of the files that are provided in this update, download the [file information for cumulative update 5017316](<https://download.microsoft.com/download/5/1/3/513f8daf-2d06-4f6a-9c8b-36b6277cb042/5017316.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 20348.945](<https://download.microsoft.com/download/f/5/b/f5b9c564-cedf-4c7d-bf65-dacafb5c4853/SSU_version_20348_945.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017316 (OS Build 20348.1006)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017316", "href": "https://support.microsoft.com/en-us/help/5017316", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:15", "description": "None\nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 11 (original release), see its update history page.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the Windows release health dashboard. \n\n![Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.](https://support.content.office.net/en-us/media/4873755a-8b1e-497e-bc54-101d1e75d3e7.png)\n\n## Highlights \n\n * Addresses a known issue that affects Microsoft accounts (MSA). The web dialog that you use to sign in or sign out might not appear. This issue occurs on devices that have installed KB5016691.\n * Addresses security issues for your Windows operating system. \n\n## Improvements\n\nThis security update includes improvements that were a part of update KB5016691 (released August 25, 2022) and also addresses the following issues: \n\n * Addresses a known issue that affects Microsoft accounts (MSA). The web dialog that you use to sign in or sign out might not appear. This issue occurs on devices that have installed KB5016691.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.For more information about security vulnerabilities, please refer to the [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n### Windows 11 servicing stack update - 22000.975\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n**Applies to**| **Symptom**| **Workaround** \n---|---|--- \nIT admins| After installing this update, XPS Viewer might be unable to open XML Paper Specification (XPS) documents in some non-English languages, including some Japanese and Chinese character encodings. This issue affects both XML Paper Specification (XPS) and Open XML Paper Specification (OXPS) files. When encountering this issue, you may receive an error, \"This page cannot be displayed\" within XPS Viewer or it might stop responding and have high CPU usage with continually increasing memory usage. When the error is encountered, if XPS Viewer is not closed it might reach up to 2.5GB of memory usage before closing unexpectedly.This issue does not affect most home users. The [XPS Viewer is no longer installed by default as of Windows 10, version 1803](<https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features>) and [must be manually installed](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fapplication-management%2Fadd-apps-and-features&data=05%7C01%7Cv-shros%40microsoft.com%7Cf67e41cad4af4dcf09ac08da79a42805%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637956043196783103%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mAxvq%2BP02NuUNLL2Heb2Ukgr1KQwfN5Gs0xwQBs5egY%3D&reserved=0>).| This issue is addressed in KB5017383. \nAll users| Starting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is addressed in KB5017383. \nIT admins| After installing this update, file copies using [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences **> **Windows Settings** in Group Policy Editor.| This issue was addressed in KB5018418. Installation of this update prevents and resolves this issue, but if any workaround was used to mitigate this issue, it will need to be changed back to the original configuration. \n \n## How to get this update\n\n**Before installing this update**Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017328>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 11**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5017328](<https://download.microsoft.com/download/c/7/8/c78fc24a-01f1-4788-a8d3-6e11c4b3dd68/5017328.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 22000.975](<https://download.microsoft.com/download/f/2/f/f2f58748-5e2b-4be4-bea3-37af775daf0c/SSU_version_22000_975.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017328 (OS Build 22000.978)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017328", "href": "https://support.microsoft.com/en-us/help/5017328", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:14", "description": "None\n**7/12/22** \nAfter September 20, 2022, there will no longer be optional, non-security releases (known as \"C\" or preview releases) for the 2019 LTSC editions and Windows Server 2019. Only cumulative monthly security updates (known as the \"B\" or Update Tuesday release) will continue for the 2019 LTSC editions and Windows Server 2019. \n\n**11/17/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 10, version 1809, see its update history page. \n\n## Highlights \n\n * Addresses security issues for your Windows operating system. \n\n## Improvements\n\nThis security update includes improvements that were a part of update KB5016690 (released August 23, 2022) and also addresses the following issues:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.For more information about security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n### Windows 10 servicing stack update - 17763.3232\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. \n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing KB4493509, devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"| This issue is addressed by updates released June 11, 2019 and later. We recommend you install the latest security updates for your device. Customers installing Windows Server 2019 using media should install the latest [Servicing Stack Update (SSU)](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) before installing the language pack or other optional components. If using the [Volume Licensing Service Center (VLSC)](<https://www.microsoft.com/licensing/servicecenter/default.aspx>), acquire the latest Windows Server 2019 media available. The proper order of installation is as follows:\n\n 1. Install the latest prerequisite SSU, currently [KB5005112](<https://support.microsoft.com/help/5005112>)\n 2. Install optional components or language packs\n 3. Install latest cumulative update\n**Note** Updating your device will prevent this issue, but will have no effect on devices already affected by this issue. If this issue is present in your device, you will need to use the workaround steps to repair it.**Workaround:**\n\n 1. Uninstall and reinstall any recently added language packs. For instructions, see [Manage the input and display language settings in Windows 10](<https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2>).\n 2. Click **Check for Updates **and install the April 2019 Cumulative Update or later. For instructions, see [Update Windows 10](<https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a>).\n**Note **If reinstalling the language pack does not mitigate the issue, use the In-Place-Upgrade feature. For guidance, see [How to do an in-place upgrade on Windows](<https://docs.microsoft.com/troubleshoot/windows-server/deployment/repair-or-in-place-upgrade>), and [Perform an in-place upgrade of Windows Server](<https://docs.microsoft.com/windows-server/get-started/perform-in-place-upgrade>). \nAfter installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.| This issue occurs because of an update to the PnP class drivers used by this service. After about 20 minutes, you should be able to restart your device and not encounter this issue. \nFor more information about the specific errors, cause, and workaround for this issue, please see KB5003571. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is addressed in KB5017379. \nAfter installing this update, file copies using [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences **> **Windows Settings** in Group Policy Editor.| This issue was addressed in KB5018419. Installation of this update prevents and resolves this issue, but if any workaround was used to mitigate this issue, it will need to be changed back to the original configuration. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>).Prerequisite:You **must **install the August 10, 2021 SSU (KB5005112) before installing the LCU. **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog ](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017315>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5017315](<https://download.microsoft.com/download/8/c/0/8c0394c0-c4a0-4d86-9522-1c40c4e96bf5/5017315.csv>).For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 17763.3232](<https://download.microsoft.com/download/f/5/1/f51753ae-66cd-4568-8fb6-5a5cbf79186c/SSU_version_17763_3232.csv>). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017315 (OS Build 17763.3406)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017315", "href": "https://support.microsoft.com/en-us/help/5017315", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:17", "description": "None\n## **Summary**\n\nLearn more about this security-only update, including improvements, any known issues, and how to get the update.\n\n**IMPORTANT **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).Verify that** **you have installed the required updates in the **How to get this update** section before installing this update. Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ended on January 14, 2020. For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>). Because ESU is available as a separate SKU for each of the years in which they are offered (2020, 2021, and 2022)\u2014and because ESU can only be purchased in [specific 12-month periods](<https://docs.microsoft.com/lifecycle/faq/extended-security-updates>)\u2014you must purchase the third year of ESU coverage separately and activate a new key on each applicable device for your devices to continue receiving security updates in 2022.If your organization did not purchase the third year of ESU coverage, you must purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows Server 2008 SP2 devices before you install and activate the Year 3 MAK keys to receive updates. The steps to [install, activate, and deploy ESUs](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) are the same for first, second, and third year coverage. For more information, see [Obtaining Extended Security Updates for eligible Windows devices](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) for the Volume Licensing process and [Purchasing Windows 7 ESUs as a Cloud Solution Provider](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/purchasing-windows-7-esus-as-a-cloud-solution-provider/ba-p/1034637>) for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).For more information, see the [ESU blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-extended-security-updates-for-windows-7-and-windows/ba-p/1872910>).\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages for Windows Server 2008 SP2, see the following update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements**\n\nThis security-only update includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is resolved in update [KB5018446](<https://support.microsoft.com/help/5018446>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018446](<https://support.microsoft.com/help/5018446>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates because extended support ended on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the latest SSU ([KB5016129](<https://support.microsoft.com/help/5016129>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).\n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5016618](<https://support.microsoft.com/help/5016618>)).\n\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017371>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017371](<https://download.microsoft.com/download/f/0/6/f068e32d-11a4-4f38-a7e2-1690c54f795e/5017371.csv>).\n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017371 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017371", "href": "https://support.microsoft.com/en-us/help/5017371", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:17", "description": "None\n## **Summary**\n\nLearn more about this cumulative security update, including improvements, any known issues, and how to get the update.\n\n**IMPORTANT** [Windows Server 2012](<https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012>) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).Verify that you have installed the required updates listed in the **How to get this update** section before installing this update.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements**\n\nThis cumulative security update contains improvements that are part of update [KB5016672](<https://support.microsoft.com/help/5016672>) (released August 9, 2022) and includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptoms**| **Next step** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is resolved in update [KB5018457](<https://support.microsoft.com/help/5018457>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018457](<https://support.microsoft.com/help/5018457>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5016263](<https://support.microsoft.com/help/5016263>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017370>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017370](<https://download.microsoft.com/download/7/f/f/7ff3a661-63cb-479f-8879-a31cb6324da4/5017370.csv>).\n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017370 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017370", "href": "https://support.microsoft.com/en-us/help/5017370", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:16", "description": "None\n## **Summary**\n\nLearn more about this cumulative security update, including improvements, any known issues, and how to get the update.\n\n**REMINDER** [Windows 8.1](<https://docs.microsoft.com/lifecycle/products/windows-81>) will reach end of support on January 10, 2023, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization\u2019s exposure to security risks or impact its ability to meet compliance obligations.For more information, see [Windows 8.1 support will end on January 10, 2023](<https://support.microsoft.com/windows/windows-8-1-support-will-end-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93>).[Windows Server 2012 R2](<https://docs.microsoft.com/lifecycle/products/windows-server-2012-r2>) will reach end of support on October 10, 2023 for Datacenter, Essentials, Embedded Systems, Foundation, and Standard.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements**\n\nThis cumulative security update includes improvements that are part of update [KB5016681](<https://support.microsoft.com/help/5016681>) (released August 9, 2022) and includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptoms**| **Next step** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is resolved in update [KB5018454](<https://support.microsoft.com/help/5018454>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018474](<https://support.microsoft.com/help/5018474>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5017398](<https://support.microsoft.com/help/5017398>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017367>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017367](<https://download.microsoft.com/download/5/7/7/5771cf45-6276-4d8b-8645-1378219f095d/5017367.csv>). \n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017367 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017367", "href": "https://support.microsoft.com/en-us/help/5017367", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:16", "description": "None\n## **Summary**\n\nLearn more about this security-only update, including improvements, any known issues, and how to get the update.\n\n**REMINDER** [Windows 8.1](<https://docs.microsoft.com/lifecycle/products/windows-81>) will reach end of support on January 10, 2023, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization\u2019s exposure to security risks or impact its ability to meet compliance obligations.For more information, see [Windows 8.1 support will end on January 10, 2023](<https://support.microsoft.com/windows/windows-8-1-support-will-end-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93>).[Windows Server 2012 R2](<https://docs.microsoft.com/lifecycle/products/windows-server-2012-r2>) will reach end of support on October 10, 2023 for Datacenter, Essentials, Embedded Systems, Foundation, and Standard.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements**\n\nThis security-only update includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptoms**| **Next step** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is resolved in update [KB5018476](<https://support.microsoft.com/help/5018476>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018476](<https://support.microsoft.com/help/5018476>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5017398](<https://support.microsoft.com/help/5017398>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). \n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5016618](<https://support.microsoft.com/help/5016618>)).\n\n**Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017365>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5017365](<https://download.microsoft.com/download/2/f/d/2fd6b656-6963-4244-8508-4ce55135b659/5017365.csv>). \n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017365 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017365", "href": "https://support.microsoft.com/en-us/help/5017365", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:17", "description": "None\n## **Summary**\n\nLearn more about this security-only update, including improvements, any known issues, and how to get the update.\n\n**IMPORTANT **[Windows Server 2012](<https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012>) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release).Verify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements**\n\nThis security-only update includes key changes for the following issue:\n\n * This update contains miscellaneous security improvements to internal OS functionality. No specific issues are documented for this release.\nFor more information about the resolved security vulnerabilities, please refer to the [Deployments | Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>) and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## **Known issues in this update**\n\n**Symptoms**| **Next step** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is resolved in update [KB5018478](<https://support.microsoft.com/help/5018478>). \nAfter installing this update, file copies which use [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files that have 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences** > **Windows Settings** in Group Policy Editor.| This issue is resolved in update [KB5018478](<https://support.microsoft.com/help/5018478>). If any workaround was used to mitigate this issue, we recommend that you revert to your original configuration. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5016263](<https://support.microsoft.com/help/5016263>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). \n\n**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5016618](<https://support.microsoft.com/help/5016618>)).\n\n**Language packs**If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017377>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for KB5017377](<https://download.microsoft.com/download/a/4/2/a4256952-adc6-424a-9bca-ccb2d0d885d1/5017377.csv>).\n\n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017377 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017377", "href": "https://support.microsoft.com/en-us/help/5017377", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T10:54:14", "description": "None\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 10, version 1607, see its update history page. \n\n## Highlights\n\n * Addresses security issues for your Windows operating system. \n\n## Improvements\n\nThis security update includes quality improvements. Key changes include: \n\n * Provides a Group Policy that affects Microsoft Edge IE mode. Administrators can use this Group Policy to let you use the CTRL+S shortcut (Save As) in Microsoft Edge IE mode.\n * Addresses an issue that might log requests against the wrong endpoint.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [September 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>).\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| To mitigate this issue, please see [Possible issues caused by new Daylight Savings Time in Chile](<https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016#2892msgdesc>).We are working on a resolution and will provide an update in an upcoming release.**Note **We plan to release an update to support this change; however, there might be insufficient time to properly build, test, and release such an update before the change goes into effect. Please use the workaround above. \nAfter installing this update, file copies using [Group Policy Preferences](<https://learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922\$v=ws.11\$>) might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in **User Configuration** > **Preferences **> **Windows Settings** in Group Policy Editor.| This issue was addressed in KB5018411. Installation of this update prevents and resolves this issue, but if any workaround was used to mitigate this issue, it will need to be changed back to the original configuration. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>). If you are using Windows Update, the latest SSU (KB5017396) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5017305>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5017305](<https://download.microsoft.com/download/a/a/a/aaac3921-c041-4cea-9135-169e871bb51f/5017305.csv>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T07:00:00", "type": "mskb", "title": "September 13, 2022\u2014KB5017305 (OS Build 14393.5356)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T07:00:00", "id": "KB5017305", "href": "https://support.microsoft.com/en-us/help/5017305", "cvss": {"score": 0.0, "vector": "NONE"}}], "trellix": [{"lastseen": "2022-10-05T00:00:00", "description": "# The Bug Report \u2014 September 2022 Edition\n\nBy Charles McFarland \u00b7 October 5, 2022\n\n![The Bug Report \u2013 September 2022 Edition](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-september-2022-edition-1.jpg) As long as it works.... \n\n\n## Why am I here?\n\nWelcome back to the Bug Report, don\u2019t-stub-your-toe edition! For those in the audience unfamiliar with how we do things here, every month we filter down that month\u2019s bugs to just a handful of the most critical ones so you can sleep in and tell your boss what great research you\u2019ve been doing.\n\nWith a couple of exceptions, September has been a very welcome slow month for major bugs. As such, we\u2019ll step out from the norm a little and cover some vulns maybe more relevant to certain teams than others.\n\n * CVE-2022-34721 + CVE-2022-34718: Windows IKE + TCP/IP\n * CVE-2022-32917: MacOS, iOS, and iPadOS\n * CVE-2022-39197: Cobalt Strike\n * CVE-2007-4559: Python\n \n\n\n## CVE-2022-34721 + CVE-2022-34718: Because two is always better than one\n\n### What is it?\n\nWhile we avoid basing our bug report strictly on CVSS scores, a 9.8 usually catches our attention. There were several to choose from in Microsoft\u2019s September Patch Tuesday, but two in particular seemed especially critical. I decided to take care of both Patch Tuesday bugs in one section because why not? The first is a Remote Code Execution IKE bug, CVE-2022-34721. IKE, or Internet Key Exchange, is the protocol that sets up key exchanges for [IPsec](<https://www.cloudflare.com/learning/network-layer/what-is-ipsec/>) used in Virtual Private Networks. Essentially, all modern Windows versions with IPsec enabled are impacted. Do you remember all those work-from-home folks you set up VPNs for? Yeah, those are the ones you should be concerned about.\n\nThe second Patch Tuesday bug that caught my attention was CVE-2022-34718, another 9.8 RCE. This vulnerability is found in the Windows TCP/IP stack and, like CVE-2022-34721, it impacts systems running IPsec. Only those running IPv6 will be affected, but you\u2019d have to disable IPv6 entirely to mitigate it. This bug is highly likely to be wormable, highly likely to be exploited, and highly likely to have a working PoC out there in the wild. How do I know the latter? Because a PoC was leaked on Github and was quickly taken down by administrators. That\u2019s not before some [automated PoC collection tools](<https://gitlab.com/securitystuffbackup/PoC-in-GitHub/-/tree/master/>) discovered it, however. It\u2019s na\u00efve to think no one else got a copy before it was removed.\n\n### Who cares?\n\nDo you use VPNs on Windows? That means you should care. If you\u2019re running IPv6 you should double care. Pretty much every Windows shop with remote workers or frequent travelers should be paying close attention to this one.\n\n### What can I do?\n\nAs I stated before, these were from September\u2019s Patch Tuesday. If you need to do anything you are already a month late. Get those patches ASAP! Make sure your users are up-to-date and scold them (as nicely as possible) if they are not. I get it, sometimes you can't patch right away. However, we\u2019re talking about a wormable unauthenticated RCE bug with a leaked PoC here. A month is too long to wait!\n\n \n\n\n## CVE-2022-32917: If I had an Apple for every time...\n\n### What is it?\n\nPrivilege escalation vulnerabilities don\u2019t often get the attention they deserve. Why not? They\u2019re essential to many malware campaigns. True, they aren\u2019t as flashy as RCEs, but without them many campaigns and malware families would just fall flat. What makes [CVE-2022-32917](<https://nvd.nist.gov/vuln/detail/CVE-2022-32917>) interesting is that it effects MacOS, iOS, and iPadOS. That pretty much covers every device in Apple\u2019s infamous \u201cecosystem.\u201d Well, maybe not Apple Watches but are those company-managed anyway? To make matters worse, Apple has [acknowledged](<https://support.apple.com/en-us/HT213443>) that there are reports of attacks in the wild. Not much more information is available yet, but an actively exploited kernel privilege escalation across all your Apple devices should kick start your morning.\n\n### Who cares?\n\nApple users and the IT shops that manage them should care. You can be sure cybercriminals will. Again, this is actively exploited so if you haven\u2019t patched, you\u2019re already behind. It impacts common BYOD items such as iPhones so containment may become an issue. As we all know, users _always_ keep their devices up to date.\n\n### What can I do?\n\nWithout more information about the vulnerability and the in-the-wild exploits, your only option is to patch. iPadOS and iOS should be running version 15.7 (or 16, for iOS). MacOS should be running either 11.7 or 12.6. Beyond that? Sit and wait. Since Apple knows of the exploits, we hope to see some form of writeup soon. It\u2019s not uncommon for security researchers to give some time for patches to be applied before disclosing their findings. Until then, patch, patch, patch.\n\n \n\n\n## CVE-2022-39197: September, Please-Don\u2019t-Hack-Back month...\n\n### What is it?\n\nCobalt Strike may not be familiar to your average IT professional, but it\u2019s the bread and butter for many red teams out there. On September 20th an [out of band patch](<https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/>) for Cobalt Strike was deployed to fix several issues, including [CVE-2022-39197](<https://nvd.nist.gov/vuln/detail/CVE-2022-39197>), a Cross-Site Scripting (XXS) vulnerability. Typically, XXS vulnerabilities don\u2019t hit our radar, but partially because of the slow month and partially because of the irony of a hacking platform exploit, here it is. Essentially, a bad actor can set malformed usernames in a beacon configuration and get code execution on the Cobalt Strike servers. Of the existing [PoCs](<https://github.com/xzajyjs/CVE-2022-39197-POC>) I\u2019ve found, most have simply been used to troll the servers with random images. Those who live by the sword, eh?\n\n![Merci, l\u2019ANSSI \$mais where is ze CVE number\$](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-september-2022-edition-2.jpg) Figure 1: Reproduction by [@xzajyjs](<https://github.com/xzajyjs>) from <https://www.cnblogs.com/xzajyjs/p/16724512.html> \n\n\n### Who cares?\n\nIf you\u2019re a large company, you may hire a red team for a security assessment. Maybe you even have your own. In either case, those red teams should care, as a very large portion of them use Cobalt Strike. For any cybercriminals using Cobalt Strike, you should not care. Ignore the patch and keep the old vulnerable version, everything will be just fine.\n\n### What can I do?\n\nMake sure you\u2019re on version 4.7.1. In your TeamsServer.prop file, you should have `limits.beacons_xssvalidated=True` set. If it\u2019s set to `False`, you have a problem. If you\u2019re negotiating a red team engagement with a third party, ask them what tools and versions they intend to use. Point them to this bug report or the [official disclosure](<https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/>) if you find they\u2019re using an old version of Cobalt Strike.\n\n \n\n\n## CVE-2007-4559: Wait, 2007? Is that a typo?\n\n### What is it?\n\nThat\u2019s not a typo. We\u2019ll finish off this bug report with a [15-year-old Python bug](<https://nvd.nist.gov/vuln/detail/CVE-2007-4559>) that keeps on giving! Some new research on this bug puts its potential impact at 350,000+ open-source repositories. Full disclosure, that was us. In our defense, the original bug was published on August 27th of 2007, which is really _really_ close to September 2022 - give or take 15 years. So, what does this bug do? Essentially, it\u2019s a directory traversal bug in which use of `tarfile.extract()` or `tarfile.extractall()` could allow an attacker to overwrite arbitrary files on the system. In some circumstances, this can even lead to code execution. It\u2019s a very easy mistake to make as the default behavior of the tarfile module, and the most straightforward implementation, leads to this vulnerability. Just look how simple it is:\n\n![Figure 2: Vulnerable extractall\$\$](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-september-2022-edition-3.jpg) Figure 2: Vulnerable extractall() \n\n\n### Who cares?\n\nDevelopers who write Python code or use Python open-source software should be aware of it and its prevalence. Why is it so prevalent? Because the response to this bug was to warn about the dangers of using untrusted tar files in the official documentation. Of course, we all read the official docs, right? Most developers either failed to read the warning or ignored it altogether! Now, I\u2019m all for ignoring annoying things but security warnings should be an exception. Skip ahead 15 years and now most open-source software packages using tarfile do things insecurely and may have found their way into your supply chain.\n\n### What can I do?\n\nIn this case we\u2019re trying to do the hard work for you. We have been hard at work patching as many of these open-source projects as possible. Pull requests kicked off late September, so project maintainers can add the patch to their code base. If you are a project maintainer, keep an eye out for our pull request or write your own tarfile sanitization patch as soon as possible. If you are a user of open-source software, update your packages as soon as they have a patch applied. Not every project will get patched, nor will every maintainer accept the pull request. In those cases, and for closed-source software, you can use tools like [Creosote](<https://github.com/advanced-threat-research/Creosote>) to scan your own projects. For you developers out there, now you know. Read the warnings. Your code may stick around a _looong_ time so let\u2019s keep this ancient bug from surviving another 15 years.\n", "cvss3": {}, "published": "2022-10-05T00:00:00", "type": "trellix", "title": "The Bug Report \u2014 September 2022 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2007-4559", "CVE-2022-32917", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-39197"], "modified": "2022-10-05T00:00:00", "id": "TRELLIX:EBD56C9F3321809BB35031678EE7699F", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-september-2022-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-03T00:00:00", "description": "# The Bug Report \u2013 April 2023 Edition\n\nBy John Rodriguez \u00b7 May 3, 2023\n\n![It\u2019s never easy coming back.](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-april-2023-edition-1.jpg) It\u2019s never easy coming back. \n\n\n## Why am I here?\n\nSeems as if some of us should have stayed at our tropical vacation getaway. Nothing like coming back to the cyber world screeching about intelligence leaks, critical vulnerabilities, and breaches. It\u2019s as if we should be asking \u201cwho has not been breached these days?\u201d 3CX made the news early in April via a supply chain attack, Uber\u2019s driver data was stolen via the breach on Genova Burns LLC and now MSI has been compromised. Fear not! It\u2019s not all doom and gloom, as the Trellix Advanced Research Center helped take down one of the largest online markets for illegal activities and content.\n\nOrganizations looking to avoid having their names wind up in similar headlines have come to the right place, as the Bug Report promises to the answer the questions, \u201cWhat is it?\u201d \u201cWho cares?\u201d and \u201cWhat can I do?\u201d for the top vulnerabilities each month. As promised, let\u2019s say hello to this month\u2019s list of faulty bugs! \n\n * CVE-2023-28205: macOS, iOS, iPadOS, and Safari\n * CVE-2023-29389: 2021 Toyota RAV4\n * CVE-2023-28252: Windows Common Log File System (CLFS)\n * CVE-2023-2033: Google Chrome and Chromium\n\n## CVE-2023-28205: One bite of the Apple\n\n### What is it?\n\nLooks like Google\u2019s Cl\u00e9ment Lecigne is [on](<https://nvd.nist.gov/vuln/detail/CVE-2021-1879>) [a](<https://nvd.nist.gov/vuln/detail/cve-2022-42856>) [roll](<https://nvd.nist.gov/vuln/detail/CVE-2023-28205>) with Apple-related CVEs, this being his third major find in just two years. This vulnerability is a use-after-free in Webkit, a browser engine used in Safari, iOS, iPadOS, and macOS to render online content. The vuln can be triggered via a malicious HTML page embedded with a JavaScript payload, leading to arbitrary code execution with elevated privileges.\n\n### Who cares?\n\nA wide range of devices running iOS, iPadOS, Safari, and macOS are vulnerable, placing the majority of Apple\u2019s customers firmly in the \u201cI care\u201d column. You may be surprised to learn that the iPod Touch was among the vulnerable products that have been patched. Frankly, I had to research if iPods are still even a thing\u2014I must be getting old. \n\n![I am old.](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-april-2023-edition-2.jpg) I am old. \n\n\nIt should also be noted that the researchers who reported this bug to Apple apparently [discovered it being used in the wild](<https://twitter.com/DonnchaC/status/1644414669254271006>), although neither they nor Apple have released any details regarding the nature of this exploitation as of yet. \n\n### What can I do?\n\nThankfully, Apple has already patched this vulnerability with the release of versions [15.7.5](<https://support.apple.com/en-us/HT213723>) and [16.4.1](<https://support.apple.com/en-us/HT213720>) for iOS, iPadOS, and Safari and the release of [macOS Ventura 13.3.1.](<https://support.apple.com/en-us/HT213721>) If you\u2019ve somehow survived this long without knowing how to update your Apple devices, Apple provides support pages on how to accomplish this for both [mobile](<https://support.apple.com/en-us/HT204204>) and [desktop](<https://support.apple.com/en-us/HT201541>). \n\n## CVE-2023-29389: 2021 Toyota RAV4, now with keyless entry \n\n### What is it?\n\nAt the risk of sounding entitled, would it be possible for Toyota to ensure their vehicles _don\u2019t_ automatically trust messages from other ECUs via the CAN bus? Unfortunately, I don\u2019t think the folks at Toyota can hear my request, since it\u2019s still possible to use this type of attack on any 2021 Toyota RAV4 (and potentially other vehicles\u2014see below). Simply access the headlight connector behind the bumper and send a [\"Key is validated\"](<https://vulners.com/cve/CVE-2023-29389>) message via CAN injection, and now you can control the vehicle.\n\n![ This isn\u2019t what I had in mind when the salesperson told me it had keyless entry.](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-april-2023-edition-3.jpg) This isn\u2019t what I had in mind when the salesperson told me it had \u201ckeyless entry.\u201d \n\n\nKen Tindell, CTO of Canis Automotive Labs, and his friend Ian Tabor discovered this vulnerability after Ian\u2019s RAV4 was [stolen off the street](<https://twitter.com/mintynet/status/1549955820166778881>) back in July of last year after a couple of failed attempts in April, meaning criminals have been using this vulnerability for at least a year. In [his blog](<https://kentindell.github.io/2023/04/03/can-injection/>), Ken notes that although the CVE description explicitly names the 2021 Toyota RAV4 as the vulnerable product, \u201cthis is not something specific to Toyota: Ian investigated the RAV4 because his stolen car was a RAV4, and other manufacturers have car models that can be stolen in a similar way.\u201d In fact, the theft device they reverse-engineered to discover the vulnerability claims to support \u201cLexus models including the ES, LC, LS, NX, RX and Toyota models including the GR Supra, Prius, Highlander, Land Cruiser - and RAV4.\u201d\n\n### Who cares?\n\nIn 2021, Toyota sold [407,739](<https://www.goodcarbadcar.net/toyota-rav4-sales-figures/>) RAV4\u2019s in the U.S alone. While it may not be assumed that all of those were 2021 models given how car release cycles are implemented, it is still a significant number of vehicles that may be vulnerable to CAN injection hijacking. If Ken Tindell\u2019s claim that this vulnerability affects various other Lexus and Toyota models is to be believed, it\u2019s possible this number could be in the millions. A threat actor compromising a vehicle via this method could endanger the public or the driver\u2019s life\u2014or, more likely, use it to unlock and [steal the car right off the street in minutes.](<https://arstechnica.com/information-technology/2023/04/crooks-are-stealing-cars-using-previously-unknown-keyless-can-injection-attacks/>)\n\n### What can I do?\n\nCurrently there is no patch available from Toyota. So\u2026 secure your vehicle? Have it insured? Forgo electronic vehicles entirely? Jokes aside, without a patch from Toyota, your best bet is probably to avoid leaving your RAV4 on the street at night and park in the garage for the time being. If you need to park on the street, utilize a steering wheel lock to make your vehicle a less attractive target for carjackers.\n\n## CVE-2023-28252: Gang Gang CLFS\n\n### What is it?\n\nNothing like jumping into another [zero-day](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252>) found in the Windows driver for its [Common Log File System (CLFS)](<https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-the-common-log-file-system>), which seems to be a common target for vulnerabilities as of late. For those that don\u2019t know, CLFS is a subsystem utilized by both the kernel and user space applications to, among other things, log [transactions](<https://en.wikipedia.org/wiki/Database_transaction>) to the disk in the form of a Base Log File.\n\nCVE-2023-28252 can be exploited by malforming the Base Log File\u2019s fields enough to cause an out-of-bounds write when the driver processes it. Once the vulnerability is triggered, the attacker may use the exposed kernel structures to execute malicious code with system privileges.\n\n### Who cares?\n\nDo you run Windows in enterprise environments? Maybe even just at home? If you own one of the [billions of devices](<https://news.microsoft.com/bythenumbers/en/windowsdevices>) worldwide that run Windows, congratulations, you are vulnerable! \n\nTo be fair, the CLFS data structures are old and have had [several](<https://nvd.nist.gov/vuln/detail/CVE-2022-24521>) [vulnerabilities](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>) attributed to them since 2018. The pressing matter with this CVE is that it has been exploited in the wild by cybercriminals to deploy [Nokoyawa ransomware](<https://kcm.trellix.com/corporate/index?page=content&id=KB95686&locale=en_US>).\n\n![Gang Gang.](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-april-2023-edition-4.jpg) Gang Gang. \n\n\n### What can I do?\n\nGiven the fact that this vulnerability is being exploited in the wild to deliver ransomware, it is recommended to patch your systems as soon as possible. You can find the patch details [here](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252>).\n\n## CVE-2023-2033: V8 fragged out\n\n### What is it?\n\nIt looks like Google\u2019s Cl\u00e9ment Lecigne isn\u2019t content with finding bug after bug in Apple\u2019s Webkit and has also set his sights on Google\u2019s own V8 Javascript engine, used in Google Chrome and other Chromium-based browsers like Edge and Opera. CVE-2023-2033 is yet another type confusion bug in V8, this one affecting all versions of Chrome prior to 112.0.5616.121. Wow, that was a mouth full; maybe we can get a bit more streamlined with version numbers instead of [APT naming conventions](<https://www.securityweek.com/microsoft-will-name-apts-actors-after-weather-events/>).\n\n### Who cares?\n\n[Google stated](<https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html>) that it is aware this CVE has been exploited in the wild. Thus, I think most of us care at this point, whether we like it or not. I tried not to, but I somehow found myself using Google Chrome again. In fact, I now have 128 GB of RAM to safely use a window with a single tab in Chrome. Don\u2019t act like Firefox is any better; I had so many plugins that I had to migrate it to one of those enterprise servers with a terabyte of RAM. \n\n![Death is near.](https://www.trellix.com/en-us/img/newsroom/stories/the-bug-report-april-2023-edition-5.jpg) Death is near. \n\n\n### What can I do?\n\nGiven that this vulnerability has been observed being exploited in the wild, the best course of action is to patch ASAP. You can start by consulting Google\u2019s [Chrome Releases](<https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html>) for more details. According to the [Chromium Security](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) page, these releases also apply to the Chromium project and, by extension, Chromium-based browsers that aren\u2019t Chrome.\n\n_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2023-05-03T00:00:00", "type": "trellix", "title": "The Bug Report \u2013 April 2023 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1879", "CVE-2022-24521", "CVE-2022-37969", "CVE-2022-42856", "CVE-2023-2033", "CVE-2023-28205", "CVE-2023-28252", "CVE-2023-29389"], "modified": "2023-05-03T00:00:00", "id": "TRELLIX:8BD01EA6BA65A0EAF5676CDB45BF0A4D", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-april-2023-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2023-06-03T14:57:38", "description": "# CVE-2022-34718 IPv6 Remote Code Execution exploit sample\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T11:39:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34718"], "modified": "2023-03-23T05:31:28", "id": "A304CD7E-97E7-577B-91FF-D46A42433CD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-11-30T08:21:31", "description": "# CVE-2022-34721-RCE-POC\n\u6d41\u8840\u4f60(BLEED YOU) A critical RCE vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-29T18:34:08", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-34721"], "modified": "2022-11-30T06:11:29", "id": "4855B030-D9C3-5C79-9B66-178F5260F85F", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-06-03T17:16:17", "description": "# CVE-2022-37969 Windows Local Privilege Escalation PoC\n\nauthors...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-09T21:17:44", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37969"], "modified": "2023-06-02T15:25:06", "id": "D598E7AD-BBBF-5B09-9F22-E6375FA7DE94", "href": "", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-10-13T22:35:58", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Common Log File System Driver Elevation of Privilege (CVE-2022-35803)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-35803"], "modified": "2022-09-13T00:00:00", "id": "CPAI-2022-0560", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-13T22:33:51", "description": "A remote code execution vulnerability exists in Microsoft Windows Internet Key Exchange protocol. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Internet Key Exchange Remote Code Execution (CVE-2022-34721)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34721"], "modified": "2022-09-21T00:00:00", "id": "CPAI-2022-0605", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-22T19:30:10", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Common Log File System Driver Elevation of Privilege (CVE-2022-24521)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-04-12T00:00:00", "id": "CPAI-2022-0101", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-09-24T00:03:21", "description": "Hello everyone! Let's take a look at Microsoft's September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239101>\n \n \n $ cat comments_links.txt \n Qualys|September 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/09/13/september-2022-patch-tuesday\n ZDI|THE SEPTEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/9/13/the-september-2022-security-update-review\n Kaspersky|Patches for 64 vulnerabilities in Microsoft products released|https://www.kaspersky.com/blog/microsoft-patch-tuesday-september-2022/45501/\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"September\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n MS PT Year: 2022\n MS PT Month: September\n MS PT Date: 2022-09-13\n MS PT CVEs found: 63\n Ext MS PT Date from: 2022-08-10\n Ext MS PT Date to: 2022-09-12\n Ext MS PT CVEs found: 27\n ALL MS PT CVEs: 90\n ...\n\n * Urgent: 0\n * Critical: 1\n * High: 41\n * Medium: 44\n * Low: 4\n\n## Exploitable vulnerabilities\n\nThere are no vulnerabilities with public exploits yet. There are 3 vulnerabilities for which there is a Proof-of-Concept Exploit according to data from CVSS.\n\n 1. **Elevation of Privilege **- Kerberos (CVE-2022-33679). An unauthenticated attacker could perform a man-in-the-middle network exploit to downgrade a client's encryption to the RC4-md4 cypher, followed by cracking the user's cypher key. The attacker could then compromise the user's Kerberos session key to elevate privileges.\n 2. **Elevation of Privilege **- Azure Guest Configuration and Azure Arc-enabled servers (CVE-2022-38007). An attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons. \n 3. **Elevation of Privilege** - Windows GDI (CVE-2022-34729). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\nBut the likelihood that these exploits will be used in real attacks seems low.\n\n## Exploitation in the wild\n\nThere are 3 vulnerabilities with a sign of exploitation in the wild:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver (CVE-2022-37969). An attacker must already have access and the ability to run code on the target system. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability affects many versions of Windows, there are patches even for EOL versions. In addition to this vulnerability, there was a bunch of EoPs in Windows with no signs of exploitation in the wild, for example **Elevation of Privilege** - Windows Kernel (CVE-2022-37956, CVE-2022-37957, CVE-2022-37964)\n * **Security Feature Bypass** - Microsoft Edge (CVE-2022-2856, CVE-2022-3075). Edge vulnerabilities are actually Chromium vulnerabilities. This is the downside of using the same engine. Chrome vulnerabilities also affect Edge, Opera, Brave, Vivaldi, etc.\n\n## IP packet causes RCE\n\n**Remote Code Execution** - Windows TCP/IP (CVE-2022-34718). An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. IPsec and IPv6 are evil. ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png) But seriously, it's bad that this is even possible.\n\nAnd that's not all, there's more. **Remote Code Execution** - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721, CVE-2022-34722). The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.\n\n## Windows DNS Server DoS\n\n**Denial of Service** - Windows DNS Server (CVE-2022-34724). This bug is only rated Important since there\u2019s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It\u2019s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.\n\n## Spectre-BHB\n\n**Memory Corruption** - ARM processor (CVE-2022-23960). This is yet another variation of the Spectre vulnerability (this time Specter-BHB), which interferes with a processor\u2019s speculative execution of instructions mechanism. In other words, the probability of its use in real attacks is extremely small \u2014 the danger is somewhat theoretical. But almost all Patch Tuesday reviewers paid attention to this vulnerability.\n\nFull Vulristics report: [ms_patch_tuesday_september2022](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_september2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T22:44:11", "type": "avleonov", "title": "Microsoft Patch Tuesday September 2022: CLFS Driver EoP, IP packet causes RCE, Windows DNS Server DoS, Spectre-BHB", "bulletinFamily": "blog", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23960", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-34724", "CVE-2022-34729", "CVE-2022-37956", "CVE-2022-37957", "CVE-2022-37964", "CVE-2022-37969", "CVE-2022-38007"], "modified": "2022-09-23T22:44:11", "id": "AVLEONOV:75C789BDAA68C1C2CEC0F20F1D138B01", "href": "https://avleonov.com/2022/09/24/microsoft-patch-tuesday-september-2022-clfs-driver-eop-ip-packet-causes-rce-windows-dns-server-dos-spectre-bhb/", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-23T12:23:39", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239085>\n\nYou can see them in my automated security news telegram channel [avleonovnews](<https://t.me/avleonovnews>) after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.\n\nFor April Patch Tuesday I will add these sources:\n\n * [Kaspersky](<https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/>)\n * [KrebsOnSecurity](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>)\n * [ComputerWeekly](<https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs>)\n * [TheHackersNews](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)\n * [Threatpost](<https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/>)\n\nLet's see if they highlight different sets of vulnerabilities.\n \n \n $ cat comments_links.txt\n Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday\n ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review\n Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/\n KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/\n ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs\n TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html\n Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/\n\nI have also added links to [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday>) and [ZDI](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) blogposts. Qualys didn't fix their blog search (apparently no one uses it). ZDI don't have a blog search, and duckduckgo stopped indexing them properly. \n\nIn addition, Tenable closed access to their [tenable.com](<http://tenable.com>). This is rather ironic considering that [Russian Tenable Security Day](<https://tenable-day.tiger-optics.ru/>) took place on February 10, 2022, just two months ago. [I participated in it](<https://www.youtube.com/watch?v=V5T3ftcFwdY>). It was a formal event with [Tenable's EMEA CTO and Regional Manager](<https://t.me/avleonovcom/961>). And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this.\n\nBut in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.\n \n \n vulners_key = \"SFKJKEWRID2JFIJ...AAK3DHKSJD\"\n proxies = {\n 'http': \"socks5://<host>:<port>\",\n 'https': \"socks5://<host>:<port>\"\n }\n\nI run the command like this:\n \n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"April\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n\nJust like last month, I'm taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report.\n \n \n MS PT Year: 2022\n MS PT Month: April\n MS PT Date: 2022-04-12\n MS PT CVEs found: 117\n Ext MS PT Date from: 2022-03-09\n Ext MS PT Date to: 2022-04-11\n Ext MS PT CVEs found: 40\n ALL MS PT CVEs: 157\n\n * Critical: 5\n * High: 51\n * Medium: 91\n * Low: 10\n\nLet's start with the critical ones:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver ([CVE-2022-24521](<https://vulners.com/cve/CVE-2022-24521>)). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency.\n * **Remote Code Execution** - Remote Procedure Call Runtime ([CVE-2022-26809](<https://vulners.com/cve/CVE-2022-26809>)). An unauthenticated, remote attacker could exploit this vulnerability by sending \u201ca specially crafted RPC call to an RPC host.\u201d The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability [is available on giithub](<https://github.com/XmasSnow1/cve-2022-26809>). Other RCEs in RPC ([CVE-2022-24492](<https://vulners.com/cve/CVE-2022-24492>), [CVE-2022-24528](<https://vulners.com/cve/CVE-2022-24528>)) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is [CVE-2022-26809](<https://vulners.com/githubexploit/706a6eeb-1d07-53eb-8455-f7809863dadc>). \n * ****Remote Code Execution**** - Microsoft Edge ([CVE-2022-1096](<https://vulners.com/cve/CVE-2022-1096>)). In Vulristics report it was detected as **Unknown Vulnerability Type** because it's impossible to detect vulnerability type by description. "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild." In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that "Public exploit is found at Vulners". However, it's just a "Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096". Yes, it is difficult to determine what exactly was uploaded on github.\n\nNow let's see the most interesting vulnerabilities with the High level.\n\n * **Elevation of Privilege** - Windows User Profile Service ([CVE-2022-26904](<https://vulners.com/cve/CVE-2022-26904>)). This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there\u2019s a [Metasploit module](<https://vulners.com/metasploit/msf:exploit/windows/local/cve_2022_26904_superprofile/>) as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve.\n * **Information Disclosure** - Windows Kernel ([CVE-2022-24483](<https://vulners.com/cve/CVE-2022-24483>)). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a [PoC for it on github](<https://github.com/waleedassar/CVE-2022-24483>).\n * **Remote Code Execution** - Windows DNS Server ([CVE-2022-26812](<https://vulners.com/cve/CVE-2022-26812>), [CVE-2022-26814](<https://vulners.com/cve/CVE-2022-26814>), [CVE-2022-26829](<https://vulners.com/cve/CVE-2022-26829>)). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month.\n\nFor the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let's see the most interesting ones.\n\n * **Remote Code Execution** - Windows SMB ([CVE-2022-24500](<https://vulners.com/cve/CVE-2022-24500>)). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. **Remote Code Execution** - Windows Kernel ([CVE-2022-24541](<https://vulners.com/cve/CVE-2022-24541>)) is actually a similar SMB vulnerability as well.\n * **Remote Code Execution** - Windows Network File System ([CVE-2022-24491](<https://vulners.com/cve/CVE-2022-24491>), [CVE-2022-24497](<https://vulners.com/cve/CVE-2022-24497>)). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely.\n\nAs you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities.\n\nThe full report is available: [ms_patch_tuesday_april2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-23T09:22:32", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-1096", "CVE-2022-24483", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26812", "CVE-2022-26814", "CVE-2022-26829", "CVE-2022-26904"], "modified": "2022-04-23T09:22:32", "id": "AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "href": "https://avleonov.com/2022/04/23/microsoft-patch-tuesday-april-2022-and-custom-cve-comments-sources-in-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-11-30T12:27:39", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary An active "Bleed You" campaign is leveraging a critical RCE (CVE-2022-34721) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions to assist subsequent malware and ransomware assaults and lateral network movement. This attack targeted vulnerable Windows operating systems, servers, protocols, and services.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-30T11:46:31", "type": "hivepro", "title": "Adversaries strike critical Windows IKE flaw in the \u201cBleed You\u201d campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34721"], "modified": "2022-11-30T11:46:31", "id": "HIVEPRO:E84F8B6C5ACC25E1292D697BE03628CC", "href": "https://www.hivepro.com/adversaries-strike-critical-windows-ike-flaw-in-the-bleed-you-campaign/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-16T10:06:15", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Microsoft addressed a zero-day vulnerability identified as CVE-2022-37969, an Elevation of Privilege vulnerability, in addition to a broad array of other significant flaws that might lead to Remote Code Execution, Information Disclosure, and Denial of Service.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-16T09:03:27", "type": "hivepro", "title": "Microsoft busts an actively exploited zero-day and several critical flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-37969"], "modified": "2022-09-16T09:03:27", "id": "HIVEPRO:B146CB21244E67A8A5B49722A69EDFE7", "href": "https://www.hivepro.com/microsoft-busts-an-actively-exploited-zero-day-and-several-critical-flaws/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-11T15:49:25", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary The threat actors behind the Cuba ransomware have stepped up their game by using a new Remote Access Trojan called ROMCOM and weaponizing a local privilege escalation vulnerability(CVE-2022-24521). A wide range of industries was targeted, including professional and legal services and state and local government.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T12:34:37", "type": "hivepro", "title": "Zero-day vulnerability leveraged to deploy Cuba Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-08-11T12:34:37", "id": "HIVEPRO:AB4C2A84604B0434A37D2695927D9A64", "href": "https://www.hivepro.com/zero-day-vulnerability-leveraged-to-deploy-cuba-ransomware/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-22T17:42:03", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Microsoft addressed 128 vulnerabilities in there April patch Tuesday update. Two of them have been categorized as zero-day vulnerabilities. One of the two zero-days is exploited-in-the-wild as well. The vulnerability, CVE-2022-24521, has been exploited in the wild. By exploiting this flaw in the Windows Common Log File System (CLFS) driver, an attacker can escalate privileges. The second zero-day is CVE-2022-26904, which is discovered in the Windows User Profile Service also permits the escalation of privileges. Despite being listed as more likely to be exploited, it has a high attack complexity, and successful exploitation requires an attacker to win a race condition. Organizations have advised the patch all these vulnerabilities as soon as possible to avoid exploitation. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities TA0001: Initial Access T1190: Exploit Public-Facing Application TA0004: Privilege Escalation T1068: Exploitation for Privilege Escalation Vulnerability Detail Patch Links https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 References https://www.cisa.gov/uscert/ncas/current-activity/2022/04/12/microsoft-releases-april-2022-security-updates", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T05:08:02", "type": "hivepro", "title": "Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521", "CVE-2022-26904"], "modified": "2022-04-14T05:08:02", "id": "HIVEPRO:F62D9BF485959B812585A48122216FD7", "href": "https://www.hivepro.com/microsoft-patch-tuesday-april-2022-addressed-two-zero-day-vulnerabilities/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-21T07:30:07", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 765 14 1 2 6 25 The third week of April 2022 witnessed a huge spike on the discovery of 765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-24521* CVE-2022-26904* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 CVE-2022-1364* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2022-22954* CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960* CVE-2022-22961 https://kb.vmware.com/s/article/88099 CVE-2018-6882 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 CVE-2022-25165 CVE-2022-25166 https://aws.amazon.com/vpn/client-vpn-download/ *zero-day vulnerability Active Actors: Icon Name Origin Motive OldGremlin Russia Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0011: Command and Control T1592: Gather Victim Host Information T1583: Acquire Infrastructure T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1555: Credentials from Password Stores T1071: Application Layer Protocol T1592.001: Hardware T1583.002: DNS Server T1566: Phishing T1059.007: JavaScript T1068: Exploitation for Privilege Escalation T1027: Obfuscated Files or Information T1555.004: Windows Credential Manager T1071.004: DNS T1592.002: Software T1583.001: Domains T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1071.001: Web Protocols T1590: Gather Victim Network Information T1587: Develop Capabilities T1566.002: Spearphishing Link T1204: User Execution T1132: Data Encoding T1590.005: IP Addresses T1587.001: Malware T1204.002: Malicious File T1132.001: Standard Encoding T1585: Establish Accounts T1204.001: Malicious Link T1568: Dynamic Resolution T1585.002: Email Accounts T1568.002: Domain Generation Algorithms T1588: Obtain Capabilities T1573: Encrypted Channel T1588.006: Vulnerabilities T1573.001: Symmetric Cryptography T1572: Protocol Tunneling Threat Advisories: Two actively exploited vulnerabilities affect multiple VMware products Google Chrome issues an emergency update to address the third zero-day of year 2022 Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities Old Zimbra vulnerability used to target Ukrainian Government Organizations Two Vulnerabilities discovered in AWS Client VPN OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T04:59:07", "type": "hivepro", "title": "Weekly Threat Digest: 11 \u2013 17 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6882", "CVE-2022-1364", "CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961", "CVE-2022-24521", "CVE-2022-25165", "CVE-2022-25166", "CVE-2022-26904"], "modified": "2022-04-21T04:59:07", "id": "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D", "href": "https://www.hivepro.com/weekly-threat-digest-11-17-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-06-03T17:13:46", "description": "Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**adenosine-phosphatase** at September 18, 2022 10:32am UTC reported:\n\nI must be missing something as the PoC script *<https://github.com/78ResearchLab/PoC/blob/main/CVE-2022-34721/CVE-2022-34721.py)> does not execute any exception/BSOD let alone the RCE.\n\nFrom what I can see, the script does not carry any RCE payload, but I thought it would at least cause some app/os exception. \nWhen I fire it up against w2k19 VPN server, nothing happens. \nI would have expected that at least some kind of unhandled exception/BSOD occurred, but nothing \u2026\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-11T00:00:00", "type": "attackerkb", "title": "CVE-2022-34721", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-34721"], "modified": "2023-04-11T00:00:00", "id": "AKB:95BA23FE-CAB6-4758-B294-2A870F37726D", "href": "https://attackerkb.com/topics/8TikmBcfwd/cve-2022-34721", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T08:12:55", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-11T00:00:00", "type": "attackerkb", "title": "CVE-2022-37969", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37969"], "modified": "2023-04-11T00:00:00", "id": "AKB:48AB1318-D726-4F76-9889-74353FF980EF", "href": "https://attackerkb.com/topics/ZMtSR5b70g/cve-2022-37969", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T14:53:46", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2022-24521", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-15T00:00:00", "id": "AKB:157B4991-86A2-4A89-BD44-780E51F9FB80", "href": "https://attackerkb.com/topics/K2kXXKFdhh/cve-2022-24521", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T14:47:43", "description": "Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24521.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2022-24481", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24481", "CVE-2022-24521"], "modified": "2022-04-15T00:00:00", "id": "AKB:40A7EAF7-B14F-423F-9645-C4381123F28D", "href": "https://attackerkb.com/topics/8jIdAvrqnS/cve-2022-24481", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-06-03T15:24:43", "description": "Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37969"], "modified": "2022-09-14T00:00:00", "id": "CISA-KEV-CVE-2022-37969", "href": "", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-10T15:46:28", "description": "Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows CLFS Driver Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-04-13T00:00:00", "id": "CISA-KEV-CVE-2022-24521", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-10-25T16:02:24", "description": "In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from [BlackCat](<https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/>), [QuantumLocker](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>), and [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), DEV-0832\u2019s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as _.v-s0ciety_, ._v-society_, and, most recently, _.locked_. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.\n\nDEV-0832 is a cybercriminal group that has reportedly been active as early as June 2021. While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832\u2019s previous opportunistic attacks have affected various industries like local government and retail. Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout. Before deploying ransomware, DEV-0832 relies on tactics, techniques, and procedures commonly used among other ransomware actors, including the use of PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like _SystemBC_.\n\nRansomware has evolved into a complex threat that\u2019s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations. Defenders can build a robust defense against ransomware by reading our [ransomware as a service blog](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>).\n\nIn this blog, we detail Microsoft\u2019s analysis of observed DEV-0832 activity, including the tactics and techniques used across the group\u2019s campaigns, with the goal of helping customers identify, investigate, and remediate activity in their environments. We provide hunting queries to help customers comprehensively search their environments for relevant indicators as well as protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\n## Who is DEV-0832 (Vice Society)?\n\nMicrosoft has identified multiple campaigns attributed to DEV-0832 over the past year based on the use of a unique PowerShell file name, staging directories, and ransom payloads and their accompanying notes. To gain an initial foothold in compromised networks, DEV-0832 has [reportedly exploited vulnerable web-facing applications and used valid accounts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>). However, due to limited initial signals from affected organizations, Microsoft has not confirmed these attack vectors. Attackers then use custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware.\n\nAfter deploying ransomware, DEV-0832 demands a ransom payment, threatening to leak stolen data on the group\u2019s _[.]onion_ site. In some cases, Microsoft observed that DEV-0832 did not deploy ransomware. Instead, the actors appeared to exfiltrate data and dwell within compromised networks. The group sometimes avoids a ransomware payload in favor of simple extortion\u2014threatening to release stolen data unless a payment is made.\n\nThe group also goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user passwords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some devices. This effectively interrupts remediation efforts, including attempts to prevent the ransomware payload or post-compromise incident response.\n\n### Toolset\n\n#### Ransomware payloads\n\nMicrosoft has observed DEV-0832 deploy multiple commodity ransomware variants over the past year: BlackCat, QuantumLocker, Zeppelin, and most recently a Vice Society-branded variant of the Zeppelin ransomware. While many ransomware groups have shifted away from branded file extensions in favor of randomly generated ones, DEV-0832 incorporated branding with their Vice Society variant using _.v-s0ciety_ or _.v-society_ file extensions. Most recently in late September 2022, DEV-0832 again modified their ransomware payload to a variant dubbed RedAlert, using a _.locked_ file extension.\n\nIn one July 2022 intrusion, Microsoft security researchers identified DEV-0832 attempt to deploy QuantumLocker binaries, then within five hours, attempt to deploy suspected Zeppelin ransomware binaries. Such an incident might suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution. The shift from a [ransomware as a service](<https://aka.ms/ransomware-as-a-service>) (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities.\n\nIn many intrusions, DEV-0832 stages their ransomware payloads in a hidden share on a Windows system, for example accessed via a share name containing \u201c$\u201d. Once DEV-0832 has exfiltrated data, they then distribute the ransomware onto local devices for launching, likely using group policy, as shown in the below command:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-1.-Group-policy-to-distribute-ransomware-onto-local-devices-1024x39.png)Figure 1. Group policy to distribute ransomware onto local devices\n\nThe group also has cross-platform capabilities: Microsoft identified the deployment of a Vice Society Linux Encryptor on a Linux ESXi server.\n\n#### PowerShell scripts\n\nDEV-0832 uses a PowerShell script to conduct a variety of malicious activities and make system-related changes within compromised networks. Like their ransomware payloads, DEV-0832 typically stages their PowerShell scripts on a domain controller.\n\nMicrosoft security researchers have observed several variations among identified DEV-0832 PowerShell scripts, indicating ongoing refinement and development over time\u2014while some only perform system discovery commands, other scripts are further modified to perform persistence, defense evasion, data exfiltration, and even distribute the ransomware payloads.\n\n#### Commodity tools\n\nAccording to Microsoft investigations, DEV-0832 has used two commodity backdoors in ransomware attacks: _SystemBC_ and _PortStarter_.\n\n_SystemBC_ is a post-compromise commodity remote access trojan (RAT) and proxy tool that has been incorporated into multiple diverse ransomware attacks. In one DEV-0832 intrusion, the attacker used both a compromised domain admin user account and a compromised contractor account to launch a PowerShell command that launched a _SystemBC_ session under the value name \u201csocks\u201d:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-2.-Powershell-command-launching-a-SystemBC-session-named-\u2018socks-1024x53.png)Figure 2. Powershell command launching a SystemBC session named \u2018socks\u2019\n\n_PortStarte_r is a backdoor written in Go. According to Microsoft analysis, this malware provides functionality such as modifying firewall settings and opening ports to connect to pre-configured command-and-control (C2) servers.\n\nDEV-0832 has also deployed ransomware payloads using the remote launching tool Power Admin. Power Admin is a legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing. If an organization has enabled Console Security settings within Power Admin, an attacker must have credentials to make authorized changes.\n\nOther commodity tools identified in DEV-0832 attacks include Advanced Port Scanner and Advanced IP Scanner for network discovery.\n\n#### Abuse of legitimate tooling\n\nLike many other ransomware actors, DEV-0832 relies on misusing legitimate system tools to reduce the need to launch malware or malicious scripts that automated security solutions might detect. Observed tools include:\n\n * Use of the [Windows Management Instrumentation Command-line](<https://learn.microsoft.com/windows/win32/wmisdk/wmic>) (WMIC) to launch commands that delete Mongo databases, other backups, and security programs.\n * Use of Impacket\u2019s WMIexec functionality, an open-source tool to launch commands via WMI, and Impacket _atexec.py_, which launches commands using Task Scheduler.\n * Use of the [vssadmin](<https://learn.microsoft.com/windows-server/administration/windows-commands/vssadmin>) command to delete shadow copy backups on Windows Server.\n * Use of [PsExec](<https://learn.microsoft.com/sysinternals/downloads/psexec>) to remotely launch PowerShell, batch scripts, and deploy ransomware payloads\n\nAdditionally, in one identified intrusion, DEV-0832 attempted to turn off Microsoft Defender Antivirus using registry commands. [Enabling Microsoft Defender Antivirus tamper protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>) helps block this type of activity.\n\n![table](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-3.-Registry-commands-that-attempt-to-tamper-with-Microsoft-Defender-antivirus-software.png)Figure 3. Registry commands that attempt to tamper with Microsoft Defender antivirus software\n\n### Harvesting privileged credentials for ransomware deployment\n\nLike other ransomware groups, after gaining an initial foothold within a network, DEV-0832 moves quickly to gather valid administrator local or domain credentials to ensure they can distribute ransomware payloads throughout the network for maximum impact.\n\n#### Credential dumps\n\nWhile Microsoft has not identified all the credential access techniques of DEV-0832, in many instances DEV-0832 accesses Local Security Authority Server Service (LSASS) dumps to obtain valid account credentials that were present in memory. Microsoft also observed that, instead of using a tool like Mimikatz to access a credential dump, DEV-0832 typically abuses the tool _comsvcs.dll_ along with MiniDump to dump the LSASS process memory. Other ransomware actors have been observed using the same technique. \n\nIn cases where DEV-0832 obtained domain-level administrator accounts, they accessed NTDS dumps for later cracking. The following command shows the attacker exfiltrating the _NTDS.dit_ file, which stores Active Directory data to an actor-created directory:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-4.-Example-of-attacker-command-to-exfiltrate-the-\u2018NTDS.dit-file-1024x38.png)Figure 4. Example of attacker command to exfiltrate the \u2018NTDS.dit\u2019 file\n\n#### Kerberoast\n\nMicrosoft has also identified DEV-0832 used the malicious PowerSploit module [_Invoke-Kerberoast_](<https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/>) to perform a Kerberoast attack, which is a post-exploitation technique used to obtain credentials for a service account from Active Directory Domain Services (AD DS). The _Invoke-Kerberoast_ module requests encrypted service tickets and returns them in an attacker-specified output format compatible with cracking tools. The group can use the cracked Kerberos hashes to reveal passwords for service accounts, often providing access to an account that has the equivalent of domain admin privileges. Furthermore, one Kerberos service ticket can have many associated service principal names (SPNs); successful Kerberoasting can then grant an attacker access to the SPNs\u2019 associated service or user accounts, such as obtaining ticket granting service (TGS) tickets for Active Directory SPNs that would allow an attacker to do offline password cracking.\n\nCombined with the fact that service account passwords are not usually set to expire and typically remain unchanged for a great length of time, attackers like DEV-0832 continue to rely on Kerberoasting in compromised networks. Microsoft 365 Defender blocks this attack with Antimalware Scan Interface (AMSI) and machine learning. Monitor for alerts that reference Kerberoast attacks closely as the presence of these alerts typically indicates a human adversary in your environment.\n\n#### Account creation\n\nIn one suspected DEV-0832 intrusion, Microsoft observed an operator create accounts that, based on the naming convention, were designed to blend in as admin accounts and allow persistence without malware, as shown in the following command:\n\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/Figure-5.-Attacker-command-to-create-accounts.png)Figure 5. Attacker command to create accounts\n\nMonitoring newly created accounts can help identify this type of suspicious activity that does not rely on launching malware for persistence in the environment.\n\n#### Exploitation of privilege escalation vulnerabilities\n\nIn August 2022, Microsoft security researchers identified one file during a DEV-0832 intrusion indicating that the group has incorporated an exploit for the disclosed, patched security flaw [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) (Windows Common Log File System (CLFS) logical-error vulnerability). Microsoft released a patch in April 2022. The DEV-0832 file spawns a new _cmd.exe_ process with system privileges.\n\nAccording to public reporting, DEV-0832 has also incorporated exploits for the [PrintNightmare](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>) vulnerability to escalate privileges in a domain. Combined with the CVE-2022-24521 exploit code, it is likely that DEV-0832, like many other adversaries, quickly incorporates available exploit code for disclosed vulnerabilities into their toolset to target unpatched systems.\n\n#### Lateral movement with valid accounts\n\nAfter gaining credentials, DEV-0832 frequently moves laterally within a network using Remote Desktop Protocol (RDP). And as previously mentioned, DEV-0832 has also used valid credentials to interact with remote network shares over Server Message Block (SMB) where they stage ransomware payloads and PowerShell scripts.\n\n### Data exfiltration\n\nIn one known intrusion, DEV-0832 operators exfiltrated hundreds of gigabytes of data by launching their PowerShell script, which was staged on a network share. The script contained hardcoded attacker-owned IP addresses and searched for wide-ranging, non-targeted keywords ranging from financial documents to medical information, while excluding files containing keywords such as varied antivirus product names or file artifact extensions. Given the wide range of keywords included in the script, it is unlikely that DEV-0832 regularly customizes it for each target.\n\nMicrosoft suspects that DEV-0832 uses legitimate tools Rclone and MegaSync for data exfiltration as well; many ransomware actors leverage these tools, which provide capabilities to upload files to cloud storage. DEV-0832 also uses file compression tools to collect data from compromised devices.\n\n## Mitigations\n\nApply these mitigations to reduce the impact of this threat:\n\n * Use [device discovery](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n * Use [Microsoft Defender Vulnerability Management](<https://security.microsoft.com/vulnerabilities>) to assess your current status and deploy any updates that might have been missed.\n * Utilize [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [endpoint detection and response (EDR) in block mode](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [investigation and remediation](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * [LSA protection](<https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection>) is enabled by default on new Windows 11 devices, hardening the platform against credential dumping techniques. LSA PPL protection will further restrict access to memory dumps making it hard to obtain credentials.\n * Refer to Microsoft\u2019s blog [Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware>) for recommendations on building strong credential hygiene and other robust measures to defend against ransomware.\n\nMicrosoft customers can turn on [attack surface reduction rules](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction>) to prevent several of the infection vectors of this threat. These rules, which can be configured by any administrator, offer significant hardening against ransomware attacks. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * [Block process creations originating from PsExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Use advanced protection against ransomware](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#use-advanced-protection-against-ransomware>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n\n## Detection details\n\n### Microsoft Defender Antivirus\n\n[Microsoft Defender Antivirus](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) detects DEV-0832\u2019s Vice Society-branded Zeppelin variant as the following malware:\n\n * [Ransom:Win32/VSocCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/VSocCrypt.PA!MTB&threatId=-2147138765>)\n * [Trojan:PowerShell/VSocCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/VSocCrypt.PA!MTB&threatId=-2147136227>)\n * [Ransom:Linux/ViceSociety](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Linux/ViceSociety.D!MTB&threatId=-2147136262>)\n\nOther commodity ransomware variants previously leveraged by DEV-0832 are detected as:\n\n * [Behavior:Win32/Ransomware!Quantum.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Ransomware!Quantum.A&threatId=-2147147947>)\n * [Behavior:Win32/Quantum.AA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Quantum.AA&threatId=-2147147852>)\n * [Ransom:Win32/Zeppelin](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Zeppelin&threatId=-2147188430>)\n * [Ransom:Win32/Blackcat](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Blackcat&threatId=-2147158032>)\n\n_SystemBC_ and _PortStarter_ are detected as:\n\n * [Behavior:Win32/SystemBC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/SystemBC.A!nri&threatId=-2147149800>)\n * [Trojan:Win32/SystemBC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/SystemBC.SA!sms&threatId=-2147150468>)\n * [Backdoor:Win64/PortStarter](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/PortStarter&threatId=-2147137231>)\n\nSome pre-ransomware intrusion activity used in multiple campaigns by various activity groups can be detected generically. During identified DEV-0832 activity, associated command line activity was detected with generic detections, including:\n\n * Behavior:Win32/OfficeInjectingProc.A\n * Behavior:Win32/PsexecRemote.E\n * Behavior:Win32/SuspRemoteCopy.B\n * Behavior:Win32/PSCodeInjector.A\n * Behavior:Win32/REnamedPowerShell.A\n\n### Microsoft Defender for Endpoint\n\nThe following [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) alerts can indicate threat activity on your network:\n\n * DEV-0832 activity group\n * 'VSocCrypt' ransomware was prevented\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.\n\n * Use of living-off-the-land binary to run malicious code\n * Potential SystemBC execution via Windows Task Scheduler\n * Suspicious sequence of exploration activities\n * Process memory dump\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote activity\n * Suspicious access to LSASS service\n * Suspicious credential dump from NTDS.dit\n * File backups were deleted\n * System recovery setting tampering\n\nThe post [DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector](<https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-25T16:00:00", "type": "mssecure", "title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24521"], "modified": "2022-10-25T16:00:00", "id": "MSSECURE:123BB884C96F0D2CEEB22B6F3B90BCB4", "href": "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2022-10-25T23:14:08", "description": "In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from [BlackCat](<https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/>), [QuantumLocker](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>), and [Zeppelin](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), DEV-0832\u2019s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as _.v-s0ciety_, ._v-society_, and, most recently, _.locked_. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.\n\nDEV-0832 is a cybercriminal group that has reportedly been active as early as June 2021. While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832\u2019s previous opportunistic attacks have affected various industries like local government and retail. Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout. Before deploying ransomware, DEV-0832 relies on tactics, techniques, and procedures commonly used among other ransomware actors, including the use of PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like _SystemBC_.\n\nRansomware has evolved into a complex threat that\u2019s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations. Defenders can build a robust defense against ransomware by reading our [ransomware as a service blog](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>).\n\nIn this blog, we detail Microsoft\u2019s analysis of observed DEV-0832 activity, including the tactics and techniques used across the group\u2019s campaigns, with the goal of helping customers identify, investigate, and remediate activity in their environments. We provide hunting queries to help customers comprehensively search their environments for relevant indicators as well as protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\n## Who is DEV-0832 (Vice Society)?\n\nMicrosoft has identified multiple campaigns attributed to DEV-0832 over the past year based on the use of a unique PowerShell file name, staging directories, and ransom payloads and their accompanying notes. To gain an initial foothold in compromised networks, DEV-0832 has [reportedly exploited vulnerable web-facing applications and used valid accounts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>). However, due to limited initial signals from affected organizations, Microsoft has not confirmed these attack vectors. Attackers then use custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware.\n\nAfter deploying ransomware, DEV-0832 demands a ransom payment, threatening to leak stolen data on the group\u2019s _[.]onion_ site. In some cases, Microsoft observed that DEV-0832 did not deploy ransomware. Instead, the actors appeared to exfiltrate data and dwell within compromised networks. The group sometimes avoids a ransomware payload in favor of simple extortion\u2014threatening to release stolen data unless a payment is made.\n\nThe group also goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user passwords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some devices. This effectively interrupts remediation efforts, including attempts to prevent the ransom