July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server

2020-07-14T17:01:00

Description

Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this … [ July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server Read More »](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)

{"id": "MSRC:79080D1EA83C3BB4689C763E5FACBDB5", "type": "msrc", "bulletinFamily": "blog", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this \u2026\n\n[ July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server Read More \u00bb](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)", "published": "2020-07-14T17:01:00", "modified": "2020-07-14T17:01:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "reporter": "MSRC Team", "references": [], "cvelist": ["CVE-2020-1350"], "lastseen": "2020-09-21T18:52:49", "viewCount": 508, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C", "AVLEONOV:7DAB33D28205885E8979C4C664958CDC"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0658"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:72803FA1C7CD81E274A0417B0A34353E"]}, {"type": "cve", "idList": ["CVE-2020-1350"]}, {"type": "githubexploit", "idList": ["0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "2A7F5F31-A737-556D-A869-05B87FD1F625", "37D3D343-97C5-5C12-8595-042E337E31C0", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "9DE76D04-93D7-5923-9AE3-457D591197D6", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "B1274C64-524E-5AAB-9D50-AC7043563B81", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200716-01-DNS"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7"]}, {"type": "kaspersky", "idList": ["KLA11863", "KLA11865"]}, {"type": "krebs", "idList": ["KREBS:1A886B22AAF8ADC53874F0E126C5A96D"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1350"]}, {"type": "nessus", "idList": ["MS_DNS_CVE-2020-1350.NASL", "SMB_NT_MS20_JUL_DNS_CHECK.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "thn", "idList": ["THN:DBFCCEBE2752BA05D9181D55D3477666"]}, {"type": "threatpost", "idList": ["THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70"]}]}, "score": {"value": 9.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB"]}, {"type": "avleonov", "idList": ["AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0658"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:72803FA1C7CD81E274A0417B0A34353E"]}, {"type": "cve", "idList": ["CVE-2020-1350"]}, {"type": "githubexploit", "idList": ["0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "2A7F5F31-A737-556D-A869-05B87FD1F625", "37D3D343-97C5-5C12-8595-042E337E31C0", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "9DE76D04-93D7-5923-9AE3-457D591197D6", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200716-01-DNS"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7"]}, {"type": "kaspersky", "idList": ["KLA11863", "KLA11865"]}, {"type": "krebs", "idList": ["KREBS:1A886B22AAF8ADC53874F0E126C5A96D"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1350"]}, {"type": "nessus", "idList": ["MS_DNS_CVE-2020-1350.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232", "OPENVAS:1361412562311220201350"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "thn", "idList": ["THN:DBFCCEBE2752BA05D9181D55D3477666"]}, {"type": "threatpost", "idList": ["THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-1350", "epss": "0.928020000", "percentile": "0.984330000", "modified": "2023-03-16"}], "vulnersScore": 9.6}, "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 1684001301, "epss": 1678988709}, "_internal": {"score_hash": "7d934ab72c8f71e44c7681ac578d9d13"}}

{"thn": [{"lastseen": "2022-05-09T12:40:15", "description": "[![hacking windows dns server](https://thehackernews.com/images/-CFswC_0BsxM/Xw3l4OFeD0I/AAAAAAAA3BU/WOcga12uuyA8n43M9fyL5rlNdMXOc7CTwCLcBGAsYHQ/s728-e100/windows-dns-server-hacking.jpg)](<https://thehackernews.com/images/-CFswC_0BsxM/Xw3l4OFeD0I/AAAAAAAA3BU/WOcga12uuyA8n43M9fyL5rlNdMXOc7CTwCLcBGAsYHQ/s728-e100/windows-dns-server-hacking.jpg>)\n\nCybersecurity researchers today disclosed a new highly critical \"wormable\" vulnerability\u2014carrying a severity score of 10 out of 10 on the CVSS scale\u2014affecting Windows Server versions 2003 to 2019. \n \nThe 17-year-old remote code execution flaw ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), dubbed '**SigRed**' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization's IT infrastructure. \n \nA threat actor can exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and much more. \n \nIn a detailed [report](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) shared with The Hacker News, Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can spread from one vulnerable computer to another without any human interaction. \n \n\"A single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction,\" the researcher said. \n \n\"This means that a single compromised machine could be a 'super spreader,' enabling the attack to spread throughout an organization's network within minutes of the first exploit.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Microsoft, the Windows maker prepared a patch for the vulnerability and began rolling it out starting today as part of its July Patch Tuesday, which also includes security updates for 122 other vulnerabilities, with a total 18 flaws listed as critical, and 105 as important in severity. \n \nMicrosoft [said](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install the patches immediately. \n \n\"Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,\" Microsoft said. \n \n\n\n## Crafting Malicious DNS Responses\n\n \nStating that the objective was to identify a vulnerability that would let an unauthenticated attacker compromise a Windows Domain environment, Check Point researchers said they focused on Windows DNS, specifically taking a closer look at how a DNS server parses an incoming query or a response for a forwarded query. \n \nA forwarded query happens when a DNS server cannot resolve the IP address for a given domain name (e.g., www.google.com), resulting in the query being forwarded to an authoritative DNS name server (NS). \n \n\n\n \nTo exploit this architecture, SigRed involves configuring a domain's (\"deadbeef.fun\") [NS resource records](<https://en.wikipedia.org/wiki/List_of_DNS_record_types>) to point to a malicious name server (\"ns1.41414141.club\"), and querying the target DNS server for the domain in order to have the latter parse responses from the name server for all subsequent queries related to the domain or its subdomains. \n \nWith this setup in place, an attacker can trigger an integer overflow flaw in the function that parses incoming responses for forwarded queries (\"dns.exe!SigWireRead\") to send a DNS response that contains a [SIG resource record](<https://tools.ietf.org/html/rfc2535#section-2.3.1>) larger than 64KB and induce a \"controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.\" \n \nPut differently; the flaw targets the function responsible for allocating memory for the resource record (\"RR_AllocateEx\") to generate a result bigger than 65,535 bytes to cause an integer overflow that leads to a much smaller allocation than expected. \n \nBut with a single DNS message limited to 512 bytes in UDP (or 4,096 bytes if the server supports [extension mechanisms](<https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS>)) and 65,535 bytes in TCP, the researchers found that a SIG response with a lengthy signature alone wasn't enough to trigger the vulnerability. \n \nTo achieve this, the attack cleverly takes advantage of [DNS name compression](<https://powerdns.org/hello-dns/basic.md.html#dnsbasics>) in DNS responses to create a buffer overflow using the aforementioned technique to increase the allocation's size by a significant amount. \n \n\n\n## Remote Exploitation of the Flaw\n\n \nThat's not all. SigRed can be triggered remotely via a browser in limited scenarios (e.g., Internet Explorer and non-Chromium based Microsoft Edge browsers), allowing an attacker to abuse Windows DNS servers' support for [connection reuse and query pipelining](<https://tools.ietf.org/html/rfc7766#section-6.2.1>) features to \"smuggle\" a DNS query inside an HTTP request payload to a target DNS server upon visiting a website under their control. \n \nWhat's more, the bug can be further exploited to leak memory addresses by corrupting the metadata of a DNS resource record and even achieve [write-what-where](<https://cwe.mitre.org/data/definitions/123.html>) capabilities, allowing an adversary to hijack the execution flow and cause it to execute unintended instructions. \n \n\n\n[![](https://thehackernews.com/images/-HEx60rYsUag/Xw28tH1tAeI/AAAAAAAAAjg/NJQx1bGwsz4XXVX6VMdIZz_fT6pv4UyxACLcBGAsYHQ/s728-e100/dns-hacking.jpg)](<https://thehackernews.com/images/-HEx60rYsUag/Xw28tH1tAeI/AAAAAAAAAjg/NJQx1bGwsz4XXVX6VMdIZz_fT6pv4UyxACLcBGAsYHQ/s728-e100/dns-hacking.jpg>)\n\n \nSurprisingly, DNS clients (\"dnsapi.dll\") are not susceptible to the same bug, leading the researchers to suspect that \"Microsoft manages two completely different code bases for the DNS server and the DNS client, and does not synchronize bug patches between them.\" \n \nGiven the severity of the vulnerability and the high chances of active exploitation, it's recommended that users patch their affected Windows DNS Servers to mitigate the risk. \n \nAs a temporary workaround, the maximum length of a DNS message (over TCP) can be set to \"0xFF00\" to eliminate the chances of a buffer overflow: \n \n\n\n> reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\" /v \"TcpReceivePacketSize\" /t REG_DWORD /d 0xFF00 /f \n \nnet stop DNS && net start DNS\n\n \n\"A DNS server breach is a very serious thing. Most of the time, it puts the attacker just one inch away from breaching the entire organization. There are only a handful of these vulnerability types ever released,\" Check Point's Omri Herscovici told The Hacker News. \n \n\"Every organization, big or small using Microsoft infrastructure is at major security risk, if left unpatched. The risk would be a complete breach of the entire corporate network.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T17:13:00", "type": "thn", "title": "17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-04-13T11:27:23", "id": "THN:DBFCCEBE2752BA05D9181D55D3477666", "href": "https://thehackernews.com/2020/07/windows-dns-server-hacking.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:37:27", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive 20-03 addressing a critical vulnerability\u2014CVE-2020-1350\u2014affecting all versions of Windows Server with the Domain Name System (DNS) role enabled. A remote attacker could exploit this vulnerability to take control of an affected system. This vulnerability is considered \u201cwormable\u201d because malware exploiting it on a system could, without user interaction, propagate to other vulnerable systems.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. Review the following resources for more information:\n\n * [CISA Emergency Directive 20-03: Mitigate Windows DNS Server Remote Code Execution Vulnerability from July 2020 Patch Tuesday](<https://www.cisa.gov/emergency-directive-20-03>)\n * [CISA Blog on Emergency Directive (ED 20-03) Windows DNS Server Vulnerability](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)\n * [Microsoft Security Vulnerability Information for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)\n * [Microsoft Security Blog Post: CVE-2020-1350 Vulnerability in Windows DNS Server](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-16T00:00:00", "type": "cisa", "title": "CISA Releases Emergency Directive on Critical Microsoft Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-01-25T00:00:00", "id": "CISA:72803FA1C7CD81E274A0417B0A34353E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:43", "description": "Microsoft has released a security update to address a remote code execution (RCE) vulnerability\u2014CVE-2020-1350\u2014in Windows DNS Server. A remote attacker could exploit this vulnerability to take control of an affected system. This is considered a \u201cwormable\u201d vulnerability that affects all Windows Server versions.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft\u2019s [Security Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) and [Blog](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ >) for more information, and apply the necessary update and workaround.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "cisa", "title": "Microsoft Addresses 'Wormable' RCE Vulnerability in Windows DNS Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T00:00:00", "id": "CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:45", "description": "A buffer overflow vulnerability exists in Microsoft Windows DNS Server. Successful exploitation of this vulnerability could lead to execution of arbitrary code on the target server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T00:00:00", "id": "CPAI-2020-0658", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-18T01:20:40", "description": "# CVE-2020-1350\nCVE-2020-1350 Proof-of-Concept\n\nEnvironment Setu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-17T05:41:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-03-16T16:44:01", "id": "9DE76D04-93D7-5923-9AE3-457D591197D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:22:16", "description": "# CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit\n\nCredits for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T23:00:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T06:46:01", "id": "FFF6ABA4-7461-5653-836A-79F11037A7FF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:21:44", "description": "# Fake_CVE-2020-1350\nThis is the source code for a very crude fa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T21:55:57", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T07:05:31", "id": "37D3D343-97C5-5C12-8595-042E337E31C0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:54:35", "description": "This is an educational exercise...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-19T17:32:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:39:05", "id": "FB0D7C2A-01EB-5929-A539-96230C17B90F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:10", "description": "# Overview\n\nMicrosoft announced CVE-2020-1350 on July 14 2020. T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T19:43:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:38:31", "id": "DD3676BD-E792-5189-86EE-4765FF68EFCB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-07T02:44:35", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T19:02:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-06T02:40:10", "id": "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:45", "description": "# [KB4569509: Guidance for DNS Server Vulnerability CVE-2020-135...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-26T02:12:36", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:40:04", "id": "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-31T19:43:29", "description": "# CVE-2020-1350\nThis Powershell Script is checking if your serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T05:46:31", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-31T16:10:52", "id": "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:09", "description": "# CVE-2020-1350\nScanner and Mitigat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-18T13:49:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-01-27T17:38:05", "id": "0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:01", "description": "# CVE-2020-1350 (AKA SIGRed) v0.30\n\n## Summary: \nA Zeek package...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T05:55:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-01-14T18:47:12", "id": "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:12:45", "description": "This is a powershell script that'll grab all the AD servers for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-22T12:11:33", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:40:26", "id": "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:22:38", "description": "# cve-2020-1350\nBash Proof-of-Concept (PoC) script to exploit SI...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T22:45:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T07:04:55", "id": "2A7F5F31-A737-556D-A869-05B87FD1F625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:25", "description": "# CVE-2020-1350 (SigRED)\n\nWorkarou...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T19:28:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-05-06T11:57:25", "id": "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:58:14", "description": "# CVE-2020-1350 SIGRed Denial of Service PoC Exploit\n\nThis repo ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-16T16:46:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-01-09T21:16:20", "id": "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:36", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-14T14:42:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-16898"], "modified": "2021-05-17T07:52:28", "id": "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:18:47", "description": "# Contains Custom NSE scripts \n\n\n# CVE-2020-0796\nNSE script to d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T17:51:29", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-34473"], "modified": "2022-03-23T17:15:09", "id": "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "msrc": [{"lastseen": "2023-06-06T14:43:31", "description": "\u672c\u8a18\u4e8b\u306f\u3001\u300cJuly 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server\u300d\u306e\u65e5\u672c\u8a9e\u6284\u8a33\u3067\u3059\u3002 \u672c\u65e5\u3001\u8106\u5f31\u6027\u60c5\u5831 CVE-2020-1350 \u3092\u516c\u958b\u3057", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "msrc", "title": "Windows DNS \u30b5\u30fc\u30d0\u30fc\u306e\u8106\u5f31\u6027\u60c5\u5831 CVE-2020-1350 \u306b\u95a2\u3059\u308b\u6ce8\u610f\u559a\u8d77", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T07:00:00", "id": "MSRC:0BBBB55B6F489CA387A82715A7CF6E11", "href": "/blog/2020/07/20200715-dnsvulnerability/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:43:31", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "msrc", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T07:00:00", "id": "MSRC:0299F0ADFFEC3249877020E014342A78", "href": "/blog/2020/07/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-22T16:39:48", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "msrc", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T07:00:00", "id": "MSRC:79DD362947FCABAB874BE67554F26FA3", "href": "https://msrc.microsoft.com/blog/2020/07/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-08-07T08:03:43", "description": "On July 14, 2020, Microsoft issued a new security advisory on [Microsoft Windows Patch Day](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \u2013 addressing **CVE-2020-1350, **also known as **SigRed** \u2013 a remote code execution vulnerability in Windows Domain Name System (DNS) servers. The security issue has received a critical severity rating score of 10.0 based on CVSS v3.1 Scoring system. \n\n**SigRed** affects Windows servers that are configured to run the DNS Server role as described in the advisory.\n\n#### **The Vulnerability**\n\nMicrosoft mentioned that \u201cit found no evidence to show that the bug has been actively exploited by attackers and advised users to install patches immediately.\u201d Furthermore, it added that the vulnerability has the potential to spread via malware between vulnerable computers without any user interaction. No authentication is mandatory to execute this wormable vulnerability. A nefarious actor who is successful in exploiting this vulnerability could run arbitrary code in the Local System account.\n\nThe flaw impacts only Windows DNS servers and not DNS server clients. Check Point Research team members Sagi Tzadik and Eyal Itkin have presented their research to Microsoft and shown it in a video [here](<https://www.youtube.com/watch?v=PUlMmhD5it8>).\n\nThe following components are vulnerable to CVE-2020-1350:\n\nFunction: _dns.exe!SigWireRead_\n\nVulnerability Type: _Integer Overflow leading to Heap-Based Buffer Overflow_\n\n![](https://threatprotect.qualys.com/wp-content/uploads/2020/07/2020-1320.jpg)\n\nImage Source: [Check Point](<https://www.youtube.com/watch?v=PUlMmhD5it8>)\n\n\u201cWithout any human interaction or authentication, a single exploit can start a chain reaction that would allow attacks to spread from one vulnerable machine to another,\u201d the researcher said. \u201cThis means that a single compromised machine could spread this attack throughout an organization\u2019s network within minutes of the first exploit.\u201d\n\n**Affected Windows Products**\n\nWindows Server 2004, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019\n\n### Identify Assets, Discover, Prioritize and Remediate Using Qualys VMDR\u00ae\n\nQualys VMDR, all-in-one vulnerability management, detection and response enables: \n\n * Identification of known and unknown hosts running vulnerable Windows servers with DNS service\n * Automatic detection of vulnerabilities and misconfigurations for Windows servers\n * Prioritization of threats based on risk \n * Integrated patch deployment \n\n#### Identification of Windows Assets with DNS Running\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with DNS service running\n\n_operatingSystem.category1:`Windows` and services.name:`DNS` _\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.43.50-PM-1-1070x418.png)\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 SIGRED. This helps in automatically grouping existing Windows hosts SIGRED as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n#### Discover SIGRED CVE-2020-1350 Vulnerability and Misconfigurations \n\nNow that the windows hosts with SIGRED are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like SIGRED based on the always-updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018SIGRED\u2019 asset tag in the vulnerabilities view by using QQL query:\n\n_vulnerabilities.vulnerability.qid: 916_62\n\nThis will return a list of all impacted hosts.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.21.05-PM-1070x192.png)\n\nAlong with the QID 91662, Qualys released the following IG QID 45451 to help customers track assets on which they have the mitigation applied. This QID can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\n_QID 45451: Microsoft KB4569509 Mitigation Guidance for DNS Server Applied (CVE-2020-1350). _\n\nThese QIDs are included in signature version VULNSIGS-2.4.942-2 and above.\n\nUsing VMDR, QID 91662 can be prioritized for the following RTIs:\n\n * Remote Code Execution\n * Unauthenticated Exploitation\n * Public Exploit\n * Denial of Service\n * Easy Exploit\n * High Data Loss\n * Wormable\n * Predicted High Risk\n * Privilege Escalation\n * High Lateral Movement\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.20.16-PM-2-1070x522.png)\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.46.51-PM-1070x667.png)\n\nSimply click on the impacted assets for the SIGRED threat feed to see the vulnerability and impacted host details. \n\nWith VM Dashboard, you can track SIGRED, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of SIGRED vulnerability trends in your environment using [Microsoft SIGRED RCE Vulnerability Dashboard](<https://qualys-secure.force.com/customers/articles/Knowledge/000006377>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-15-at-1.34.59-PM-1070x915.png)\n\n**Configuration management adds context to overall vulnerability management**\n\nTo reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have SIGRED RCE vulnerability. \n\nWith the [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover the status of the \u2018DNS\u2019 service and if they have misconfigurations in context to the SIGRED vulnerability. \n\n * Qualys configuration ID \u2013 18935 "Status of the 'TcpReceivePacketSize' parameter within the 'HKLM\\System\\CurrentControlSet\\Services\\DNS\\Parameters' registry key" would be evaluated against all Windows DNS servers as shown below\n![](https://blog.qualys.com/wp-content/uploads/2020/07/18935-Pass-1-1070x354.png)\n\n#### Risk-Based Prioritization of SIGRED RCE Vulnerability \n\nNow that you have identified the hosts, versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk. \n\n**High Risk: ** \n\n * Hosts with DNS enabled and patch or workaround not applied are at high risk. \n * If due to business reasons it is not possible to apply the patch on the hosts for which CVE-2020-1350 is detected. Customers can check for misconfigurations (CID 18935 controls are failing) as shown below. \n![](https://blog.qualys.com/wp-content/uploads/2020/07/18935-Fail-1070x353.png)\n\n**Medium Risk:** \n\n * Hosts with DNS enabled for which CVE-2020-1350 is detected, however, the configuration 18935 is detected as hardened are at medium risk.\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201ccve:`CVE-2020-1350`\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 SIGRED. \n\nFor proactive, continuous patching, you can create a daily job with a 24-hour \u201cPatch Window\u201d to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities. \n\nUsers are encouraged to apply patches as soon as possible.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-20-at-12.52.47-PM-1070x675.png)\n\nIn cases where due to business reasons it is not possible to apply patches, it is recommended that you reduce your security risk by remediating the related configuration settings for all running DNS Windows servers as provided in [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) by applying the following workarounds:\n\n**Workarounds**\n\nRegistry modification\n\n_HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters_\n\n_DWORD = TcpReceivePacketSize_\n\n_Value = 0xFF00_\n\nNote: You must restart the DNS Service for the workaround to take effect.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical SIGRED RCE vulnerability CVE-2020-1350.", "cvss3": {}, "published": "2020-07-20T20:45:55", "type": "qualysblog", "title": "Automatically Discover, Prioritize and Remediate Windows DNS Vulnerability (SigRed \u2013 CVE-2020-1350) Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-20T20:45:55", "id": "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T08:03:43", "description": "This month\u2019s Microsoft Patch Tuesday addresses 123 vulnerabilities with 18 of them labeled as Critical. The 18 Critical vulnerabilities cover Hyper-V, DNS Server, PerformancePoint, SharePoint Server, Office, Outlook, Remote Desktop, and several other workstation vulnerabilities. Adobe issued patches today for Download Manager, Media Encoder, Genuine Service, ColdFusion, and Creative Cloud.\n\n## Workstation Patches\n\nToday's patch Tuesday fixes many vulnerabilities that would impact workstations. The Office, Outlook, Remote Desktop Client, DirectWrite, Address Book, LNK, GDI+, Font Library, and VBScript vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n## Windows DNS Server RCE\n\nAn extremely critical Remote Code Execution vulnerability ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)) is fixed today in all versions of Windows DNS Server. Microsoft ranks this vulnerability as "Exploitation More Likely," and according to Microsoft and the researchers at [Check Point](<https://research.checkpoint.com/>), the vulnerability is wormable. It is highly recommended to prioritize these patches on all Microsoft DNS servers, including Active Directory servers.\n\nIn a [guidance document](<https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability>), Microsoft provides a workaround that involves setting the maximum TcpReceivePacketSize to prevent exploitation. If patches cannot be deployed immediately, this workaround should be considered.\n\n## Hyper-V RemoteFX vGPU RCE\n\nMicrosoft patched six similar RCE vulnerabilities ([CVE-2020-1032](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032>), [CVE-2020-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036>), [CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>), [CVE-2020-1041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041>), [CVE-2020-1042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042>), [CVE-2020-1043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043>)) related to the way graphics drivers are handled in Hyper-V. Since the vulnerabilities involve directly attacking the host's graphics drivers, this patch simply disables RemoteFX functionality. According to Microsoft: "RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016."\n\n## Deserialization RCEs in PerformancePoint Services, SharePoint, .NET, and Visual Studio\n\nMicrosoft also patched two RCEs in PerformancePoint Services for SharePoint Server ([CVE-2020-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439>)) along with .NET Framework, SharePoint Server, and Visual Studio ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>)). These vulnerabilities both involve the deserialization of XML content and could lead to Remote Code Execution if exploited.\n\n## Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Download Manager](<https://helpx.adobe.com/security/products/adm/apsb20-49.html>), [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb20-36.html>), [Genuine Service](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>), [ColdFusion](<https://helpx.adobe.com/security/products/coldfusion/apsb20-43.html>), and [Creative Cloud](<https://helpx.adobe.com/security/products/creative-cloud/apsb20-33.html>). The patches for Creative Cloud and ColdFusion are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\n## About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).", "cvss3": {}, "published": "2020-07-14T18:58:08", "type": "qualysblog", "title": "July 2020 Patch Tuesday \u2013 123 Vulnerabilities, 18 Critical, Hyper-V RemoteFX, DNS Server, Workstation, Adobe", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1147", "CVE-2020-1350", "CVE-2020-1439"], "modified": "2020-07-14T18:58:08", "id": "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-23T18:02:10", "description": "_Zero-day vulnerability attacks have emerged as a major cybersecurity threat in the last few years. Organizations most often targeted include large enterprises and government/Federal agencies. However, any organization, regardless of its size, business, or industry, is a potential target for zero-day threats._\n\nMost notably, already publicly disclosed. This means that **one out of every four **zero-day exploits detected could potentially have been avoided if a more thorough investigation and patching effort had been pursued. In 2021, around 58 zero-day vulnerabilities were reported, more than double the total for the previous year. This is a definite cause for alarm. As of June 2022, Google\u2019s project had identified 18 zero-day vulnerabilities so far this year. \n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture-1.png)\n\nHere are some well-known examples of zero-day attacks:\n\n * Most recently, the [Follina zero-day vulnerability](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>)\n * [Log4j](<https://www.qualys.com/log4shell-cve-2021-44228/>) (2021)\n * Chrome (2021)\n * [Zoom](<https://blog.qualys.com/qualys-insights/2020/04/06/secure-remote-endpoints-from-vulnerabilities-in-video-conferencing-productivity-applications-like-zoom>) (2020)\n * [Apple iOS](<https://blog.qualys.com/vulnerabilities-threat-research/2021/10/18/apple-fixes-zero-day-in-ios-and-ipados-15-0-2-emergency-release-detect-and-prioritize-vulnerabilities-using-vmdr-for-mobile-devices>) (2020)\n * Microsoft Windows, Eastern Europe (2019)\n\n### Why Are Zero-Day Attacks/Exploits so Dangerous?****\n\nThe biggest challenge in cybersecurity remains **to secure what can\u2019t be seen.**\n\nZero-day attacks occur without warning, which makes them difficult to protect against. They take advantage of previously unknown vulnerabilities that have yet to be patched. In some cases, the software vendor is not even aware that the weakness exists. \n\nThe time between initial disclosure of a new vulnerability and its exploitation is shrinking. Yet the time to fix a vulnerability is not shrinking at the same rate. This gives attackers ample time to run rampant and launch zero-day attacks on defenseless targets. Unfortunately, it can still take days, weeks, or even months for fixes to be released. An enterprise may be forced to use the vulnerable/compromised software that entire time, exposing both its mission critical machines and sensitive data.\n\nEven worse, once a zero-day patch is released, not all organizations are quick to implement it.\n\n### How Qualys Policy Compliance Helps Combat Zero-Day Threats\n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) is a next-generation solution for continuous cyber risk reduction and effective compliance with internal policies, industry mandates, and government regulations. It helps enterprises of any size to respond to zero-day threats. Here\u2019s how:\n\n#### Detecting New Vulnerabilities ****\n\nThe Qualys Research Team analyzes zero-day vulnerabilities published from various sources (e.g. [Microsoft Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday>)), including vendor advisories that help accurately detect these vulnerabilities. They identify workarounds and create compensatory controls accordingly which help to detect these vulnerabilities in the IT environment.\n\n#### Mitigating Risk with Compensating Controls ****\n\nQualys Policy Compliance (PC) has a rich library of security controls that can be used to compensate for various zero-day vulnerabilities across different technologies and platforms. Qualys continuously releases new compensatory controls for new zero-day vulnerabilities as soon as a vulnerability is disclosed where no patch is yet available.\n\nWhile no organization can completely protect themselves from a zero-day attack, organizations are able to detect new zero-day vulnerabilities and mitigate the risk associated with them with Qualys PC compensatory controls.\n\nHere is a current list of current zero-day vulnerabilities for which Qualys PC has compensatory controls.\n\n#### Zero-day Vulnerabilities, 2020-2022\n\nHere is a listing of zero-day threats disclosed over the past three years, with links to Qualys blogs analyzing the CVEs (where applicable).\n\n**CVE ID**| **Vulnerability name**| **Control ID**| **Control Title** \n---|---|---|--- \nCVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190) AKA [\u201cFollina\u201d](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>) | 24074| Status of the 'Microsoft Support Diagnostic Tool (MSDT)' service \nCVE-2022-20695| Cisco Wireless LAN Controller Management Interface Authentication Bypass Vulnerability| 23670| Status of mac filter compatibility mode \nCVE-2022-22965| [Spring framework](<https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability>) RCE| 23425| List of Java versions and processes present on the host \nCVE-2021-4034| [PwnKit: Local Privilege Escalation Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034>)| 22844| Status of the SUID bit for /usr/bin/pkexec \nCVE-2021-4104 \nCVE-2021-44228 \nCVE-2021-45046 \nCVE-2021-45105| [Log4j Remote Code Execution (RCE)](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>)| 22639| Detection of the Apache Log4j Remote Code Execution (RCE) vulnerability (Log4Shell) (Linux) \nCVE-2021-4104 \nCVE-2021-44228 \nCVE-2021-45046 \nCVE-2021-45105| [Log4j Remote Code Execution (RCE)](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell>)| 22638| Detection of the Apache Log4j Remote Code Execution (RCE) vulnerability (Log4Shell) (Windows) \nCVE-2021-34527| [Windows Print Spooler Remote Code Execution Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/microsoft-windows-print-spooler-rce-vulnerability-printnightmare-cve-2021-34527-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| 21711| Status of the 'Allow Print Spooler to accept client connections' group policy setting \nCVE-2021-34527| | 19071| Status of the 'Point and Print Restrictions: When updating drivers for an existing connection' setting \nCVE-2021-34527| | 19070| Status of the 'Point and Print Restrictions: When installing drivers for a new connection' setting \nCVE-2021-34527| | 1368| Status of the 'Print Spooler' service \nCVE-2020-10148| [SolarWinds Orion API Authentication Bypass Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2021/01/04/technical-deep-dive-into-solarwinds-breach>)| 20645| Status of 'match-url' for rewrite rule 'PassValidSkipi18nRequest' where 'type' is None (Site-Level) \nCVE-2020-10148| | 20644| Status of 'match-url' for rewrite rule 'PassValidi18nRequest' where 'type' is None (Site-Level) \nCVE-2020-10148| | 20643| Status of 'match-url' parameter for rewrite rule 'BLockOtherSkipi18nRequest' where 'statuscode' is 403 (Site-Level) \nCVE-2020-10148| | 20642| Status of 'match-url' parameter for rewrite rule 'BLockOtheri18nRequest' where 'statuscode' is 403 (Site-Level) \nCVE-2020-10148| | 20641| Status of 'match-url' parameter for rewrite rule 'BLockInvalidAxdRequest' where 'statuscode' is 403 (Site-Level) \nCVE-2020-11993| Apache HTTPD Server HTTP/2 module memory crash| 19188| The Status of the 'LogLevel' directive in the Apache configuration file (Server Level) \nCVE-2020-9490| Apache HTTPD Server HTTP/2 push crash| 19187| Status of the 'H2Push' directive in the apache configuration file (Server Level) \nCVE-2020-16898| [Windows TCP/IP Remote Code Execution Vulnerability](<https://blog.qualys.com/product-tech/2020/10/14/microsoft-windows-tcp-ip-remote-code-execution-vulnerability-cve-2020-16898-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| 19571| Status of the 'RA Based DNS Config (RFC 6106)' parameter of network interface (Qualys Agent only) \nCVE-2020-1350| [KB4569509: DNS Server Vulnerability](<https://blog.qualys.com/vulnerabilities-threat-research/2020/07/20/automatically-discover-prioritize-and-remediate-windows-dns-vulnerability-cve-2020-1350-using-qualys-vmdr>)| 18935| Status of the 'TcpReceivePacketSize' parameter within the 'HKLM\\System\\CurrentControlSet\\Services\\DNS\\Parameters' registry key \n \n#### Identifying Compensatory Controls ****\n\nUsing Qualys Policy Compliance\u2019s new user interface, users will be able to verify the compliance posture of these controls by just looking at the CVEID/vulnerability unique identifier. As demonstrated below, It will be easy to search it by using the QQL token **control.vulnerabiity.cveId:** and then to create a dashboard from the results (see below).\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture-2.png)Identifying the compensatory controls using the CVE ID\n\n### Benefit of Qualys Policy Compliance for Zero-Day Threats****\n\nThe main benefit of Qualys Policy Compliance is \u201cDefense in Depth\u201d.\n\nEnterprises can make their security architecture stronger by assessing and fixing any misconfigurations, and then deploy patches easily once they are available, to reduce the organization\u2019s overall cyber risk.\n\nThe initial assessment gives Cybersecurity teams insights into their current security posture. It plays an important role in mitigating the risk posed by zero-day vulnerabilities while the IT environment is vulnerable and until a vendor patch is released. However, organizations can add one more layer of security to their environment by leveraging Qualys PC controls to identify misconfigurations and provide the solution to mitigate them. Qualys researchers work around the clock analyzing zero-day vulnerabilities and release configuration assessment controls to detect and mitigate publicly known zero-day vulnerabilities.\n\n#### Remediate Misconfigurations using Qualys Policy Compliance AutoRemediation ****\n\nQualys Policy Compliance doesn\u2019t just detect misconfigurations associated with zero-day vulnerabilities, but also remediates them at scale using its AutoRemediation feature. After fixing the misconfiguration with AutoRemediation, users have reduced the overall risk posed by any particular vulnerability.\n\nLet\u2019s examine a specific example, using the recently disclosed [zero-day vulnerability commonly known as Follina](<https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr>).\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture-3.png)Security posture of compensating controls for Follina vulnerability\n\nWith misconfigurations associated with Follina, the risk is high:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture4.jpg)Cyber risk from Follina is high\u2026 without a fix\n\nThe control has failed. The following series of screenshots show how users can remediate the control using Qualys PC Auto-Remediation:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture5.jpg)Step 1: Assess the misconfigured control ![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture6.jpg)Step 2: Choose to remediate the failure ![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture-7.jpg)Step 3: Name the remediation Job ![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture-8.jpg)Step 4: Select the control ![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture9.png)Step 5: Go to the script library\n\nNext, users can select a remediation script:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture10.png)Step 6: Select the remediation script from the library\n\nThen they select the asset for remediation:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture11.png)Step 7: Select assets to remediate ![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture12.png)Step 8: Track status of the remediation job\n\nAfter successful execution of the remediation script, the control is remediated, and security posture is changed from Fail to Pass.\n\nCyber risk has been reduced after fixing the misconfiguration.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture13.png)Remediation reduces Applied Risk Score\n\n#### Executing Workarounds using Qualys Custom Assessment and Remediation****\n\n[Qualys Custom Assessment and Remediation](<https://www.qualys.com/apps/custom-assessment-remediation/>) allows security practitioners to quickly create and execute custom scripts and controls, and then to take immediate action to directly remediate problems and apply mitigations. From Qualys PC, users can perform the provided mitigation steps by creating a PowerShell script and executing it on the vulnerable assets.\n\nWatch this short looping video demonstrating how easy it is to execute remediation jobs in Qualys.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/Picture-14.gif)Applying workaround for Follina vulnerability using Qualys Custom Assessment & Remediation\n\n### Summary****\n\nQualys Policy Compliance is not only a leading provider of security recommendations across CIS and DISA standards, but also provides out-of-the-box recommendations and compensating controls. This combination secures enterprise IT infrastructure from known zero-day vulnerabilities when no patch is available, thereby reducing the overall cyber risk associated with any zero-day vulnerability.\n\n### Getting Started\n\nReady to get started? Learn more about how Qualys Policy Compliance provides different configuration assessment controls. [Sign up for a free trial today.](<https://www.qualys.com/forms/policy-compliance/>)\n\n### contributors\n\n * Mukesh Choudhary, Compliance Research Analyst, Qualys\n * Mohd Anas Khan, Compliance Research Analyst, Qualys\n * Vikas Gothwal, Senior Compliance Research Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-23T10:46:04", "type": "qualysblog", "title": "Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10148", "CVE-2020-11993", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-9490", "CVE-2021-34527", "CVE-2021-4034", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-20695", "CVE-2022-22965", "CVE-2022-30190"], "modified": "2022-08-23T10:46:04", "id": "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * ![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.32.04-AM-1-1070x479.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.43.47-AM-1-1070x535.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-1.41.35-PM-1070x828.png)\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/2020-10-22_12-45-21-1070x2407.png)\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-07-16T08:28:41", "description": "A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.\n\nIt turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 \u2013 the highest allowed. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.\n\n\u201c[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,\u201d according to Check Point researcher Sagi Tzaik, who is credited for finding the flaw.\n\nMicrosoft released a patch for the vulnerability, identified as [CVE-2020-1350,](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) and [urged customers](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) to prioritize an update to their systems. Check Point is calling the bug SigRed \u2013 a nod to the vulnerable DNS component and function \u201cdns.exe\u201d.\n\nA hacker can gain Domain Administrator rights over the server, \u201cenabling the hacker to intercept and manipulate users\u2019 emails and network traffic, make services unavailable, harvest users\u2019 credentials and more. In effect, the hacker could seize complete control of a corporation\u2019s IT,\u201d researchers wrote, in a technical analysis of the bug, posted Tuesday.\n\n## **Patching Is an Imperative **\n\nUpping the chance for exploitation by a hacker is the relatively simple prerequisites needed to exploit the vulnerability. \u201cThe likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources,\u201d researchers noted.\n\n\u201cThis issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,\u201d [Microsoft wrote in a post Tuesday](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>). \u201cWhile this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.\u201d\n\nMechele Gruhn, principal security PM manager at the Microsoft Security Response Center, noted that \u201cif applying the update quickly is not practical, a [registry-based workaround is available](<https://support.microsoft.com/en-us/help/4569509>) that does not require restarting the server. The update and the workaround are both detailed in [CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>).\u201d\n\n\u201cCVE-2020-1350, a wormable remote code execution vulnerability in Windows DNS Server, could very well be the most critical Windows vulnerability released this year, receiving a rare 10 out of 10 CVSS score,\u201d Chris Hass, director of information security and research at Automox, told Threatpost.\n\n\u201cA wormable vulnerability like this is an attacker\u2019s dream. An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the local system account. Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,\u201d Hass said.\n\n## **Exploiting a 17-Year-Old Bug**\n\nThe flaw itself is an integer-overflow bug that can trigger a heap-based buffer overflow attack tied to the DNS module called dns.exe, which is responsible for answering DNS queries on Windows Servers.\n\nBy abusing the dns.exe module, two attack surfaces were created by researchers. One is a \u201cbug in the way the DNS server parses an incoming query.\u201d And the second is \u201ca bug in the way the DNS server parses a response (answer) for a forwarded query.\u201d\n\nThe attack requires researchers to first force a Windows DNS Server to parse responses from a malicious DNS NameServer. This employs the dns.exe module, which parses all supported response types. One of those supported response types is for a Secure Internet Access (SIG) query called SIG(O). Researchers focused their attention on creating a request that exceeded the maximum size request of 65,535 bytes, and causing the overflow. By using compressed data, researcher were able to create a successful crash.\n\n\u201cAlthough it seems that we crashed because we were trying to write values to unmapped memory, the heap can be shaped in a way that allows us to overwrite some meaningful values,\u201d they wrote.\n\nThis local attack then was replicated remotely, by \u201csmuggling DNS inside HTTP\u201d requests on Microsoft Explorer and Microsoft Edge browsers (Google Chrome and Firefox are not vulnerable to this type of attack). Because DNS can be transported over TCP \u2014 and Windows DNS Server supports this connection type \u2013 researchers were able to craft a HTTP payload.\n\n\u201cEven though this is an HTTP payload, sending it to our target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query,\u201d they wrote. Researchers were able to circumvent HTTP protections against similar malicious HTTP payloads by \u201csmuggling\u201d DNS query data inside the POST data located in the HTTP request.\n\nChromium-class browsers (Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, therefore the bug can only be exploited Internet Explorer and Microsoft Edge.\n\n\u201cSuccessful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,\u201d Check Point wrote.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-14T19:01:04", "type": "threatpost", "title": "Critical DNS Bug Opens Windows Servers to Infrastructure Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T19:01:04", "id": "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "href": "https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-17T21:59:13", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a \u201chigh potential for compromise of agency information systems.\u201d\n\nIn an [Emergency Directive](<https://cyber.dhs.gov/ed/20-03/>), the Department of Homeland Security (DHS) agency ordered the \u201cFederal Civilian Executive Branch\u201d to apply a patch Microsoft released Tuesday for the vulnerability, ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), by 2:00 pm ET Friday.\n\n\u201cCISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,\u201d the agency said in the directive. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the directive requires that by the deadline, all of the aforementioned agencies do the following: \u201cUpdate all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role; ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed; and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\u201d\n\nWhile there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on \u201cthe likelihood of the vulnerability being exploited\u201d as well as \u201cthe widespread use of the affected software across the Federal enterprise,\u201d and \u201cthe grave impact of a successful compromise,\u201d according to the directive.\n\nThe CISA emergency directive includes:\n\n * By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\n\nThe agency recommends taking equipment offline if it can\u2019t be patched before the CISA deadline.\n\nThe vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in [July\u2019s Patch Tuesday](<https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/>), the fifth month in a row the company patched more than 100 vulnerabilities.\n\nCVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially [discovered by Sagi Tzaik](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>), a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s [Patch Tuesday analysis](<https://www.tenable.com/blog/microsoft-s-july-2020-patch-tuesday-addresses-123-cves-including-wormable-windows-dns-server>). \u201cSuccessful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d\n\nMoreover, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he said.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, the CISA also strongly recommends that all state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.\n\nThe CISA has had its hands full lately warning on the exploit likelihood and danger of critical vulnerabilities that have either been discovered or patched in widely used hardware and software.\n\nOn July 14, the CISA [warned](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); and engage in other numerous types of disruptive behavior.\n\nA week before that, the agency urged all administrators to [implement an urgent patch](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nThe CISA also [warned](<https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/>) June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, ordering agencies to patch all affected devices.\n", "cvss3": {}, "published": "2020-07-17T15:43:00", "type": "threatpost", "title": "CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2020-2021"], "modified": "2020-07-17T15:43:00", "id": "THREATPOST:363C332F7046A481C24C7172C55CF758", "href": "https://threatpost.com/cisa-emergency-directive-orders-immediate-fix-of-windows-dns-server-bug/157529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:35", "description": "A critical DNS bug and a publicly known elevation-of-privilege flaw top Microsoft\u2019s July Patch Tuesday list of 123 fixes. The [DNS flaw is a remote code-execution bug and is touted](<https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/>) as one of the most critical Windows vulnerabilities released this year, earning the highest-severity CVSS score of 10.\n\nThe elevation-of-privilege bug ([CVE-2020-1463](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463>)) bug received a less-severe \u201cimportant\u201d rating, and impacts the Windows 10 and Windows Server SharedStream Library component. It stems from the way it handles objects in memory. Researchers expressed concern because the bug is publicly known, making it ripe for exploitation.\n\n\u201cThe [SharedStream] vulnerability could allow an attacker to execute code with elevated permissions,\u201d said Todd Schell, senior product manager, security, Ivanti. However, \u201cthe attacker would need to be locally authenticated to exploit,\u201d he said. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe more severe DNS flaw ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)) is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server and was found by Sagi Tzaik, a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server. Successful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s Patch Tuesday analysis.\n\nHe noted that Microsoft warned that this vulnerability is wormable, meaning it could spread from computer to computer without user interaction. \u201cOrganizations are strongly encouraged to patch their systems as soon as possible to address this vulnerability, as we expect that it won\u2019t be long before attackers begin to probe for and target vulnerable systems,\u201d he wrote as part of Tenable\u2019s analysis of the flaw.\n\n[Related content: [Critical DNS Bug Opens Windows Servers to Infrastructure Hijacking](<https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/>)]\n\n## **123 Fixes: Another Triple-Digit Month**\n\nIn all, Microsoft patched 123 bugs, 18 listed as critical and 105 listed as important in severity. Microsoft\u2019s advisories covered a wide swath of products, including Windows 10, Microsoft\u2019s new Chromium-based Edge browser, Internet Explorer (IE), Office and Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, .NET Framework, OneDrive, Azure DevOp and Open Source Software.\n\n\u201cThat makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742,\u201d wrote Zero Day Initiative (ZDI) researchers in their [Patch Tuesday analysis](<https://www.thezdi.com/blog/2020/7/14/the-july-2020-security-update-review>). \u201cFor comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691).\u201d\n\nResearchers at ZDI singled out a \u201crare\u201d critical elevation-of-privilege vulnerability ([CVE-2020-1025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1025>)) in Microsoft Office: \u201cIt\u2019s rare to see an elevation-of-privilege bug rated critical in severity, but this vulnerability in SharePoint and Skype for Business servers certainly earns its rating.\u201d The flaw allows attackers to gain access to impacted servers through the improper handling of an [OAuth](<https://threatpost.com/microsoft-warns-oauth-attacks-cloud-app/157331/>) token.\n\n## **Patch Tuesday Bug Parade**\n\nMeanwhile, Adobe released five patches covering 13 CVEs in Adobe Cold Fusion, Download Manager, Genuine Service, Media Encoder and the Creative Cloud Desktop Application. Adobe patches included fixes for four critical vulnerabilities, as [outlined by Threatpost](<https://threatpost.com/adobe-critical-code-execution-bugs-july/157420/>).\n\nAlso on Tuesday, Google updated its [Google Chrome browser](<https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop.html>) with a security update tackling 38 vulnerabilities \u2014 including one critical. The critical bug (CVE-2020-6510) is a Chrome heap buffer overflow vulnerability tied to Chrome\u2019s background fetch function.\n\nThe Chrome security update is part of the release of Chrome 84 (84.0.4147.89), which notably includes deprecated support for TLS 1.0 and TLS 1.1.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-14T21:32:06", "type": "threatpost", "title": "Microsoft Tackles 123 Fixes for July Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1025", "CVE-2020-1350", "CVE-2020-1463", "CVE-2020-6510"], "modified": "2020-07-14T21:32:06", "id": "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "href": "https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2020-07-21T16:02:08", "description": "Recently, [Check Point researchers](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) found a 17-year-old high-profile flaw, SIGRed (CVE-2020-1350). The flaw is a wormable, critical vulnerability in the Windows DNS server, and can be triggered by a malicious DNS response.\n\nOn a zero to 10 scale, this vulnerability has received a CVSS base score of 10 in terms of how easy it is to exploit and how damaging it can be. Successful exploitation could lead to a critical RCE on Windows DNS servers due to the improper handling of DNS requests - effectively compromising the entire corporate infrastructure.\n\nFortunately, Imperva [DDoS Protection for Domain Name Servers (DNS)](<https://www.imperva.com/products/dns-ddos-protection-services/>) can shield against this vulnerability and ensure the attack is not forwarded to the origin name server. Customers using our protected DNS service are safe provided that their DNS server accepts incoming requests from Imperva\u2019s proxies only (this configuration should be done in the onboarding process); thus, they should block incoming requests from other IPs and block requests that are not for this domain.\n\n## **How do we protect against this vulnerability? **\n\nThe Imperva service checks the requested DNS name and forwards the request to the origin (authoritative DNS server) only if the name matches the authoritative domain name.\n\nFor example: If our protected DNS customer protects a DNS domain, d1.com, so that only DNS queries that match: *.d1.com will be forwarded to the origin server; any other domain name will not be forwarded. \n\nIn an attempt to exploit this vulnerability, an attacker would send a malicious DNS query with a domain name that is under the attacker\u2019s control (Ex: *.attacker.com). However, this query will not be forwarded to the origin because it doesn\u2019t match *.d1.com.\n\nMore focus on DNS is also on the docket at Imperva, in the form of a complete DNS offering later this year. The offering will include a fully managed secured DNS service, where you\u2019ll be able to administrate and secure your DNS zones, mitigating L3/4 volumetric, protocol & DNS DDoS attacks.\n\nThe goal is to provide a best-in-class secured DNS solution with maximum reliability, security and visibility, complemented by the kind of full management capabilities you\u2019d expect from a world-class DNS solution.\n\nIn the meantime, if you have further questions about CVE-2020-1350, or need additional information on how Imperva can offer you top-notch, edge to end protection, [contact us](<https://www.imperva.com/contact-us/>) today.\n\nThe post [Imperva Shields Against Windows DNS Server RCE Vulnerability (CVE-2020-1350)](<https://www.imperva.com/blog/imperva-shields-against-windows-dns-server-rce-vulnerability-cve-2020-1350/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-21T11:24:14", "type": "impervablog", "title": "Imperva Shields Against Windows DNS Server RCE Vulnerability (CVE-2020-1350)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-21T11:24:14", "id": "IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7", "href": "https://www.imperva.com/blog/imperva-shields-against-windows-dns-server-rce-vulnerability-cve-2020-1350/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-06-14T15:27:25", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-28T07:00:00", "id": "MS:CVE-2020-1350", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2023-06-06T14:57:07", "description": "Microsoft's security update in July 2020 addresses the CVE-2020-1350 vulnerability. To exploit the vulnerability, an unauthenticated attacker could send specially crafted requests to a Windows DNS server. An attacker who successfully exploited the vulnerability could run arbitrary code remotely. (Vulnerability ID: HWPSIRT-2020-59863)\n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200716-01-dns-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200716-01-dns-en>)\n\n \n\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-01-upnp-en>)\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-16T00:00:00", "type": "huawei", "title": "Security Advisory - Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-16T00:00:00", "id": "HUAWEI-SA-20200716-01-DNS", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200716-01-dns-en", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-07-05T14:29:54", "description": "The remote Windows host is missing a security update. It is, therefore, affected by a remote code execution vulnerability:\n\n - A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2020-1350)\n\nNote: Tenable is testing for the presence of updates which address this issue, as well as Microsoft's recommended mitigation/workaround.\n\nThe registry key being checked for the mitigation is:\n - HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\TcpReceivePacketSize and it is being checked for Microsoft's recommended value of 0xFF00.\n\nOnce in place, the DNS Service must be restarted for the change to take effect.\n\nFor more information, refer to the Microsoft advisory for CVE-2020-1350.", "cvss3": {}, "published": "2020-07-17T00:00:00", "type": "nessus", "title": "Windows DNS Server RCE (CVE-2020-1350)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JUL_DNS_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/138600", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138600);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\"CVE-2020-1350\");\n script_xref(name:\"MSKB\", value:\"4558998\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565503\");\n script_xref(name:\"MSKB\", value:\"4565511\");\n script_xref(name:\"MSKB\", value:\"4565524\");\n script_xref(name:\"MSKB\", value:\"4565529\");\n script_xref(name:\"MSKB\", value:\"4565535\");\n script_xref(name:\"MSKB\", value:\"4565536\");\n script_xref(name:\"MSKB\", value:\"4565537\");\n script_xref(name:\"MSKB\", value:\"4565539\");\n script_xref(name:\"MSKB\", value:\"4565540\");\n script_xref(name:\"MSKB\", value:\"4565541\");\n script_xref(name:\"MSFT\", value:\"MS20-4558998\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565503\");\n script_xref(name:\"MSFT\", value:\"MS20-4565511\");\n script_xref(name:\"MSFT\", value:\"MS20-4565524\");\n script_xref(name:\"MSFT\", value:\"MS20-4565529\");\n script_xref(name:\"MSFT\", value:\"MS20-4565535\");\n script_xref(name:\"MSFT\", value:\"MS20-4565536\");\n script_xref(name:\"MSFT\", value:\"MS20-4565537\");\n script_xref(name:\"MSFT\", value:\"MS20-4565539\");\n script_xref(name:\"MSFT\", value:\"MS20-4565540\");\n script_xref(name:\"MSFT\", value:\"MS20-4565541\");\n script_xref(name:\"IAVA\", value:\"2020-A-0299\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/07/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0059\");\n\n script_name(english:\"Windows DNS Server RCE (CVE-2020-1350)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is, \ntherefore, affected by a remote code execution vulnerability:\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System servers when they fail to properly\n handle requests. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2020-1350)\n\nNote: Tenable is testing for the presence of updates which address this issue, as well as Microsoft's recommended\nmitigation/workaround.\n\nThe registry key being checked for the mitigation is:\n - HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\TcpReceivePacketSize\nand it is being checked for Microsoft's recommended value of 0xFF00.\n\nOnce in place, the DNS Service must be restarted for the change to take effect.\n\nFor more information, refer to the Microsoft advisory for CVE-2020-1350.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6a916fa9\");\n # https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3307e60\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate security update or mitigation as described in the Microsoft advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"wmi_enum_server_features.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\", \"SMB/WMI/Available\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\n\nfunction is_dns_server()\n{\n local_var server_features, feature;\n server_features = get_kb_list(\"WMI/server_feature/*\");\n foreach (feature in server_features)\n {\n if ('DNS Server' == feature) return 1;\n }\n return 0;\n}\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-07';\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nmy_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nmy_os_build = get_kb_item('SMB/WindowsVersionBuild');\nmy_prod = get_kb_item_or_exit('SMB/ProductName');\nsp = 0;\nvuln = FALSE;\nmitigated = FALSE;\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n## Set kbs and sp\nif(my_os == '6.0' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565536','4565529');\n sp = 2;\n}\nelse if(my_os == '6.1' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565524','4565539');\n sp = 1;\n}\nelse if(my_os == '6.2' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565537','4565535');\n}\nelse if(my_os == '6.3' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565541','4565540');\n}\nelse if(my_os == '10' && 'server' >< tolower(my_prod))\n{\n if(my_os_build == '14393') kbs = make_list('4565511');\n else if(my_os_build == '17763') kbs = make_list('4558998');\n else if(my_os_build == '18362') kbs = make_list('4565483');\n else if(my_os_build == '18363') kbs = make_list('4565483');\n else if(my_os_build == '19041') kbs = make_list('4565503');\n}\nelse\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( my_os == '10' )\n{ \n vuln = smb_check_rollup( os:'10',\n sp:0,\n os_build:my_os_build,\n rollup_date:'07_2020',\n bulletin:bulletin,\n rollup_kb_list:kbs\n );\n}\nelse\n{\n vuln = smb_check_rollup( os:my_os, \n sp:sp,\n rollup_date:'07_2020',\n bulletin:bulletin,\n rollup_kb_list:kbs\n );\n}\n\n## Check mitigation\nmitigation_key = 'SYSTEM\\\\CurrentControlSet\\\\Services\\\\DNS\\\\Parameters\\\\TcpReceivePacketSize';\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\npacketsize = get_registry_value(handle:hklm, item:mitigation_key);\nRegCloseKey(handle:hklm);\nclose_registry(close:TRUE);\n\nif (!isnull(packetsize) && (packetsize == 65280))\n mitigated = TRUE;\n\nif(vuln && is_dns_server() && !mitigated)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-05T14:28:58", "description": "According to its self-reported version number, the Microsoft DNS Server running on the remote host is affected by a remote code execution vulnerability. An unauthenticated, remote attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.\n\nNote that in order to get the full Microsoft DNS server version, the EnableVersionQuery DNS setting would need to be set to 1.", "cvss3": {}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Microsoft DNS Server Remote Code Execution (SIGRed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MS_DNS_CVE-2020-1350.NASL", "href": "https://www.tenable.com/plugins/nessus/138554", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138554);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\"CVE-2020-1350\");\n script_xref(name:\"IAVA\", value:\"2020-A-0299\");\n script_xref(name:\"MSKB\", value:\"4558998\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565503\");\n script_xref(name:\"MSKB\", value:\"4565511\");\n script_xref(name:\"MSKB\", value:\"4565524\");\n script_xref(name:\"MSKB\", value:\"4565529\");\n script_xref(name:\"MSKB\", value:\"4565535\");\n script_xref(name:\"MSKB\", value:\"4565536\");\n script_xref(name:\"MSKB\", value:\"4565537\");\n script_xref(name:\"MSKB\", value:\"4565539\");\n script_xref(name:\"MSKB\", value:\"4565540\");\n script_xref(name:\"MSKB\", value:\"4565541\");\n script_xref(name:\"MSFT\", value:\"MS20-4558998\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565503\");\n script_xref(name:\"MSFT\", value:\"MS20-4565511\");\n script_xref(name:\"MSFT\", value:\"MS20-4565524\");\n script_xref(name:\"MSFT\", value:\"MS20-4565529\");\n script_xref(name:\"MSFT\", value:\"MS20-4565535\");\n script_xref(name:\"MSFT\", value:\"MS20-4565536\");\n script_xref(name:\"MSFT\", value:\"MS20-4565537\");\n script_xref(name:\"MSFT\", value:\"MS20-4565539\");\n script_xref(name:\"MSFT\", value:\"MS20-4565540\");\n script_xref(name:\"MSFT\", value:\"MS20-4565541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/07/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0059\");\n\n script_name(english:\"Microsoft DNS Server Remote Code Execution (SIGRed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The DNS server running on the remote host is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Microsoft DNS\nServer running on the remote host is affected by a remote code\nexecution vulnerability. An unauthenticated, remote attacker who\nsuccessfully exploited the vulnerability could run arbitrary code in\nthe context of the Local System Account.\n\nNote that in order to get the full Microsoft DNS server version, the\nEnableVersionQuery DNS setting would need to be set to 1.\");\n # https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22a53c13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, version 1903, 1909, and 2004.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_dns_version.nasl\");\n script_require_keys(\"ms_dns/version\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nkb_ver = 'ms_dns/version';\nversion = get_kb_item_or_exit(kb_ver);\nport = 53;\n\napp_info = vcf::get_app_info(app:'Microsoft DNS server', kb_ver:kb_ver, port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nconstraints = [\n # Windows Server 2008\n { 'min_version': '6.0.6003.0', 'fixed_version': '6.0.6003.20885' },\n\n # Windows Server 2008 R2\n { 'min_version': '6.1.7601.0', 'fixed_version': '6.1.7601.24557' },\n\n # Windows Sever 2012\n { 'min_version': '6.2.9200.0', 'fixed_version': '6.2.9200.23084' },\n\n # Windows Sever 2012 R2\n { 'min_version': '6.3.9600.0', 'fixed_version': '6.3.9600.19759' },\n \n # Windows Server 2016\n { 'min_version': '10.0.14393.0', 'fixed_version': '10.0.14393.3808' },\n\n # Windows Server 2019\n { 'min_version': '10.0.17763.0', 'fixed_version': '10.0.17763.1339' },\n\n # Windows Server, version 1903/1909\n # 1903 and 1909 have the same KB\n { 'min_version': '10.0.18362.0', 'fixed_version': '10.0.18362.959' },\n\n # Windows Server, version 2004\n { 'min_version': '10.0.19041.0', 'fixed_version': '10.0.19041.388' }\n\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows DNS Servers fail to properly handle requests, allowing an attacker to perform remote code execution in the context of the Local System Account. The vulnerability is also known under the moniker of SIGRed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-1350", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-06-06T15:07:48", "description": "A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2020 6:11pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\n**busterb** at July 14, 2020 9:20pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\n**ccondon-r7** at July 28, 2020 8:24pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2020-1350 Windows DNS Server Remote Code Execution (SigRed)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-12-28T00:00:00", "id": "AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "href": "https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-06T14:21:49", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T23:15:00", "type": "cve", "title": "CVE-2020-1350", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2020-1350", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*"]}], "pentestpartners": [{"lastseen": "2020-09-23T14:54:17", "description": "### ![](https://www.pentestpartners.com/content/uploads/2018/09/zerologon-headline.png)\n\n### TL;DR\n\nYes, apply the update from Microsoft.\n\n### The new MS08-067?\n\nCVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered (and named Zerologon) by Tom Tervoort at [Secura](<https://www.secura.com/blog/zero-logon>). It does not require authentication. It can be used by an attacker to remotely compromise a domain controller, the result being domain admin access. That pretty much as bad as it gets, naturally it is rated critical by [Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\nThe vulnerability was patched in August 2020 in the first of a 2 part update, the first mitigates, the second (coming in 2021) fully closes it.\n\n### What\u2019s affected?\n\nAll flavours of Microsoft Windows Server, including server core. Though the impact is predominantly going to affect your domain controllers.\n\nSome versions of Linux are also vulnerable, [SUSE](<https://www.suse.com/support/kb/doc/?id=000019713>), [Red Hat](<https://access.redhat.com/security/cve/CVE-2020-1472>)\n\n### Is it a risk for me?\n\nCommonly when Microsoft release a critical update the Infosec community make a big deal out of the vulnerability, rightly so in some cases, but in others often there is not actual public exploit code available. Now that doesn\u2019t mean there isn\u2019t code available in private groups and that those risks shouldn\u2019t be taken seriously, but the absence of exploit code does make the bar of exploit that little bit higher. Unlike [some cases](<https://blog.zsec.uk/cve-2020-1350-research/>), in Zerologon\u2019s case there are currently 31 repositories on Github which purport to reference the vulnerability:\n\n![](https://www.pentestpartners.com/content/uploads/2020/09/zerologon-1-841x1024.png)\n\nThese range from a basic detection type script through to full takeover of a domain. Whilst we cannot confirm the authenticity of all of these, some are known to function as expected, they should be taken seriously.\n\nAs exploits develop they are getting more advanced, the early attacks would render the domain controller the exploit was run on unusable, this is now getting refined to allow the attacker to recover the domain controller. The code is even being added to the popular [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) exploitation tool.\n\nThere is a risk that disgruntled internal staff will exploit this, right now there are no known PowerShell versions of this exploit and so short of an internal staff member using their own laptop it\u2019s unlikely that they will have the toolset to exploit it\u2026however, this will change.\n\nThe threat is real. This is becoming a \u2018point and click\u2019 type exploit.\n\n### What mitigating factors are there?\n\nIn order to exploit the vulnerability the attacker does need to be on the local area network, however, does not need credentials. This does mean an attacker needs to be inside your network boundary, but this could be achieved in many ways, most obviously through a phishing attach, but that may not be necessary\u2026 Have you got wired network points in public meeting rooms? How secure is your wireless?\n\nA read only domain controller is also likely affected, but it is unclear in what way. Read only domain controllers may increase the risk to your organisation as commonly these are placed outside the trust boundaries.\n\nThe exploit currently breaks the domain controller it is exploited on and so it is unlikely that responsible security consultants will execute the exploit, however, unknown threat actors are likely to. This is also likely to be improved as time goes on.\n\nThen\u2026well\u2026 there is the patch obviously.\n\nOnce you have applied the patch you can enable some [registry keys](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) that will enable DC enforcement, this will deny vulnerable Netlogon connections unless the account is allowed. Note, this will become the default in early 2021 as Microsoft will release a second update to implement this.\n\n### Detecting the exploit\n\nThere are a handful of rules you can add to your security monitoring server (thank you [Corelight](<https://corelight.blog/2020/09/16/detecting-zerologon-cve-2020-1472-with-zeek/>) for these links).\n\n * [Splunk](<https://www.linkedin.com/feed/update/urn:li:activity:6711471711751168000/>)\n * [Sigma](<https://twitter.com/andriinb/status/1304676530350628864?s=1>)\n * [Zeek](<https://github.com/corelight/zerologon>)\n\nEvent ID 4742 is worth monitoring, that will show changes to a computer account which is what Zerologon is doing. Though sadly this will likely only show you have already been compromised\n\nThere are a number of other detection options in [this blog from Lares](<https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/>). Though sadly, like the above, this will likely only show you have already been compromised\n\n### Conclusion\n\nSo in short, yes you should worry, this will be exploited for many years to come, we are still seeing MS08-067 in use, the exploits will get more reliable. The risk is very much real and the impact is as severe as it gets for an enterprise domain.\n\nThis is currently a changing threat, more and more researchers are looking at this and finding novel ways to exploit it.\n\nGet patching!\n\nThe post [CVE-2020-1472/Zerologon. As an IT manager should I worry?](<https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com/>).", "cvss3": {}, "published": "2020-09-23T05:05:06", "type": "pentestpartners", "title": "CVE-2020-1472/Zerologon. As an IT manager should I worry?", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2020-1472"], "modified": "2020-09-23T05:05:06", "id": "PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0", "href": "https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2020-12-20T04:20:58", "description": "This episode is based on posts from [my Telegram channel avleonovcom](<https://t.me/avleonovcom>), published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently.\n\n![Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Barapass-Tsunami-scanner-vulnerabilities-in-Windows-DNS-Server-and-SAP-products-weird-attack-on-twitter.png)\n\n## Barapass update\n\nI recently [released an update](<https://github.com/leonov-av/barapass>) to my password manager **barapass**. BTW, it seems to be my only pet project at the MVP stage, which I use every day. ![\ud83d\ude05](https://s.w.org/images/core/emoji/13.0.1/72x72/1f605.png)\n\nWhat's new:\n\n 1. Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ![\ud83d\ude0a](https://s.w.org/images/core/emoji/13.0.1/72x72/1f60a.png) Read more about installation in Windows [in this file](<https://github.com/leonov-av/barapass/blob/master/how_to_use_barapass_in_windows.txt>).\n 2. Not only "copy the next value to the clipboard" (or "revolver mode" ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not.\n 3. You can set a startup command, for example, to decrypt the container.\n 4. The startup command and quick (favorite) commands are now in settings.json and not hard-coded.\n 5. settings.json, container files and decrypted files are now in "files" directory. It became more convenient to update barapass, just change the scripts in the root directory and that\u2019s it. I divided the scripts into several files, now it should be more clear how it works.\n\nSo, if you need a minimalistic console password manager in which you can easily use any encryption you like - welcome! You can read more about **barapass **[in my previous post](<https://avleonov.com/2019/09/17/barapass-console-password-manager/>).\n\n## Google Tsunami\n\nHave you heard about this new open source Tsunami vulnerability scanner released by Google ([github](<https://github.com/google/tsunami-security-scanner>))? What do you think about it? Is it the real thing or just another [useless automation layer over nmap](<https://github.com/google/tsunami-security-scanner/blob/master/docs/orchestration.md>)? I am now more for the second option. And I'm pretty skeptical that they will make effective and safe plugins for exploit-based vulnerability detection. The fact that this is 99.5% Java code doesn't make me enthusiastic as well. But, of course, I want to believe that it will be new "kubernetes" in the Vulnerability Management area. Let's discuss in [@avleonovchat](<https://t.me/avleonovchat>)\n\n![Google Tsunami poll](https://avleonov.com/wp-content/uploads/2020/07/image.png)\n\nVote here: <https://t.me/avleonovcom/731>\n\n## RCE in Windows DNS Server\n\nYep, yet another short post about **SIGRed **([video](<https://www.youtube.com/watch?v=PUlMmhD5it8>), [MS CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)). Getting RCE with only a DNS request is really impressive. And it was there for 17 years! OMG, what attackers could do with this in corporate environment! [Checkpoint guys stated that](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) "Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it."\n\n![RCE in Windows DNS Server poll](https://avleonov.com/wp-content/uploads/2020/07/image-1.png)\n\nVote here: <https://t.me/avleonovcom/733>\n\n## SAP RECON\n\nIf your organization uses **SAP **(my condolences), you should initiate some patching right now and make sure this stuff is NOT available on your network perimeter. There is already an [exploit](<https://github.com/chipik/SAP_RECON>) available for these vulnerabilities:\n\n[CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) - unauthenticated attacker can "execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user" \n[CVE-2020-6286](<https://nvd.nist.gov/vuln/detail/CVE-2020-6286>) - unauthenticated attacker can make Path Traversal\n\nI also found a funny bug: **Nessus **has a [remote plugin](<https://www.tenable.com/plugins/nessus/138506>) to detect these vulnerabilities, but you were not be able to find it on **Tenable **website by "CVE-2020-6287" in [CVE filter](<https://www.tenable.com/plugins/search?q=cves%3A\\(%22CVE-2020-6287%22\\)&sort=&page=1>). Why? When they edited CVE list in plugin, they have put "CVE-2020-6286" there twice. \n\n![SAP RECON Nessus](https://avleonov.com/wp-content/uploads/2020/07/tenable3.png)\n\n![\ud83e\udd26\ud83c\udffb\u200d\u2642\ufe0f](https://s.w.org/images/core/emoji/13.0.1/72x72/1f926-1f3fb-200d-2642-fe0f.png) Sometimes such things happen. \n\n## Weird attack on Twitter\n\nA little bit about Twitter? Of course, [the last incident](<https://edition.cnn.com/2020/07/16/tech/twitter-hack-security-analysis/index.html>) puzzled me a lot. Let's say you have an access to the Twitter accounts of Bill Gates, Elon Musk, Obama, Apple and others, and you post a silly Bitcoin scam? Whaat? ![\ud83e\udd2a](https://s.w.org/images/core/emoji/13.0.1/72x72/1f92a.png)\n\n![Weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Twitter_case.png)\n\nI recently had some practice in writing email templates for antiphishing trainings (btw, my [video about antiphishing](<https://www.youtube.com/watch?v=ODyJRBUZMfY>)) and was amazed what results can be achieved with regular email messages if you add a little bit of imagination and choose the right time. Even IT security professionals open files and urls, input credentials on fake sites, etc.!\n\nIt is absolutely clear that these attackers could have done something humongous. Starting from the massive gathering of user accounts / distribution of any malware through high-quality phishing websites and ending with advanced market manipulation. And instead of all this, some messages about bitcoins. It\u2019s strange.\n\n![Weird attack on Twitter poll](https://avleonov.com/wp-content/uploads/2020/07/image-2.png)\n\nVote here: <https://t.me/avleonovcom/741>\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/AmsqOJSEpTc)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-18T18:31:16", "type": "avleonov", "title": "Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-6286", "CVE-2020-6287"], "modified": "2020-07-18T18:31:16", "id": "AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C", "href": "http://feedproxy.google.com/~r/avleonov/~3/AmsqOJSEpTc/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-26T00:33:35", "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n![](https://avleonov.com/wp-content/uploads/2021/03/vulristics.png)\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I'll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). "Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized."\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). "According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day."\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. "Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data". Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We'll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. "Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact."\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). "RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network."\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). "A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website". Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . "All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020." In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don't see public exploits.\n\n"[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!"\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n"Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)".\n\n"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network."\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft's browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n![](http://feeds.feedburner.com/~r/avleonov/~4/poQoyaBweKg)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-26T02:47:52", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "modified": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-20T04:20:58", "description": "I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.\n\n![Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint](https://avleonov.com/wp-content/uploads/2020/08/Microsoft-Patch-Tuesday-July-2020.png)\n\n## Vulristics\n\nI decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project ([github](<https://github.com/leonov-av/vulristics>)). I named it _Vulristics _(from \u201cVulnerability\u201d and \u201cHeuristics\u201d). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.\n\nLet's say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases ([NVD](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>), [CVE page on the Microsoft website](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>), [Vulners.com](<https://vulners.com/cve/CVE-2020-1350>), etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.\n\nCurrently, there are the following scripts available:\n\n 1. [report_ms_patch_tuesday.py](<https://github.com/leonov-av/vulristics/blob/master/report_ms_patch_tuesday.py>) - analyze and group Microsoft Patch Tuesday CVEs.\n 2. [report_cve.py](<https://github.com/leonov-av/vulristics/blob/master/report_cve.py>) - collect and preprocess CVE ID-related data from NVD, Microsoft.com and Vulners.\n 3. [report_ms_patch_tuesday_exploits.py](<https://github.com/leonov-av/vulristics/blob/master/report_ms_patch_tuesday_exploits.py>) - get Microsoft Patch Tuesday CVEs and filter vulnerabilities with public exploits (based on Vulners.com).\n\nOf course, we can do much more than that. I have plans to add:\n\n * analysis of the vulnerability description based on keywords and phrases (it's good that such descriptions usually have a fairly regular structure)\n * analysis of references\n * danger and relevance metrics counting ([vulnerability quadrants](<https://avleonov.com/2017/05/10/vulnerability-quadrants/>)) \nand so on.\n\nIf you have good ideas please [share them in the chat](<https://t.me/avleonovchat>). The help in coding will be also pretty much appreciated. ![\ud83d\ude09](https://s.w.org/images/core/emoji/13.0.1/72x72/1f609.png)\n\nFinally, some obvious warnings:\n\n * This tool is NOT an interface to any particular database.\n * The tool makes requests to third-party sources.\n\nSo keep in mind that if you actively use it for bulk operations, you may have problems with the owners of these third-party sources, for example, your IP address will simply be banned. So be careful and reasonable!\n\n## July MS Patch Tuesday Report\n\nBut enough about my tool, let's talk about the results for July MS Patch Tuesday. There were 123 vulnerabilities in July. 18 are critical and 105 are important. As for the public exploits, I checked the vulnerabilities with a report_ms_patch_tuesday_exploits.py and found nothing.\n\nThere are no exploits for these vulnerabilities on Vulners. Microsoft also believes that there are no _Exploitation detected_ vulnerabilities this time.\n\n### Exploitation more likely\n\nBut we see 8 _Exploitation of more likely_ vulnerabilities:\n\n#### ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * .NET Framework, SharePoint Server, and Visual Studio ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>))\n * Remote Desktop Client ([CVE-2020-1374](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1374>))\n * VBScript ([CVE-2020-1403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1403>))\n * Windows DNS Server ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>))\n\n#### ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Windows Graphics Component ([CVE-2020-1381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1381>), [CVE-2020-1382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1382>))\n * Windows Runtime ([CVE-2020-1399](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1399>))\n\n#### ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Windows Kernel ([CVE-2020-1426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1426>))\n\nWindows DNS Server RCE ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), called SIGRed, is the star of this Patch Tuesday. It's extremely critical and has existed for 17 years, affecting Windows Server versions from 2003 to 2019. Getting RCE with only a DNS request is really impressive. Checkpoint guys made a [great article about this vulnerability](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) with [video of PoC](<https://www.youtube.com/watch?v=PUlMmhD5it8>) . When this vulnerability was released, there was a feeling that there would be a public RCE exploit soon. But still there are only several [Rickroll jokes](<https://github.com/ZephrFish/CVE-2020-1350>) and DoS exploit by [maxpl0it](<https://github.com/maxpl0it/CVE-2020-1350-DoS/commits?author=maxpl0it>), which looks workable, but for some reason is not present in the exploit databases, for example in [exploit-db](<https://www.exploit-db.com/>).Therefore, [Vulners does not see it](<https://vulners.com/cve/CVE-2020-1350>), as I mentioned above. Indeed, searching for exploits and exploit validation are important tasks!\n\nIn second place, of course, RDP Client RCE ([CVE-2020-1374](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1374>)). When a client connects to an infected server it become susceptible to an RCE attack. All versions from Windows 7 (and possibly earlier!) to the latest version of Windows 10 (2004) are vulnerable. Of course, the exploitation of this vulnerability requires social engineering or Man-in-the-Middle attack.\n\nNET Framework, SharePoint Server, and Visual Studio RCE ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>)) involves the deserialization of XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content.\n\nVBScript RCE ([CVE-2020-1403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1403>)). An attacker would have to convince a user to execute malicious code through phishing or to visit a malicious website, where the user would download and execute a crafted file. In fact, we see tons of these vulnerabilities every Patch Tuesday, but still no exploits.\n\nWindows Graphics Component Elevation of Privilege vulnerabilities ([CVE-2020-1381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1381>), [CVE-2020-1382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1382>)). An attacker logs onto a vulnerable system and executes a specially crafted application to run processes in an elevated context.\n\n### Other Product based (14)\n\nLooking at other vulnerabilities, the products with the most vulnerabilities are Hyper-V RemoteFX vGPU (RCEs) and Windows Runtime (EoPs). \n\n#### Hyper-V RemoteFX vGPU\n\n * ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-1032](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032>), [CVE-2020-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036>), [CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>), [CVE-2020-1041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041>), [CVE-2020-1042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042>), [CVE-2020-1043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043>))\n\n#### Windows Runtime\n\n * ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1249](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1249>), [CVE-2020-1353](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1353>), [CVE-2020-1370](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1370>), [CVE-2020-1404](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1404>), [CVE-2020-1413](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1413>), [CVE-2020-1414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1414>), [CVE-2020-1415](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1415>), [CVE-2020-1422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1422>))\n\nRCEs in Hyper-V RemoteFX vGPU ([CVE-2020-1032](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1032>), [CVE-2020-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036>), [CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>), [CVE-2020-1041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041>), [CVE-2020-1042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042>), [CVE-2020-1043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1043>)). Microsoft patch simply disables RemoteFX functionality. According to Microsoft: \u201cRemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.\u201d\n\n### Other Vulnerability Type based (101)\n\n#### ![]( http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * DirectWrite ([CVE-2020-1409](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1409>))\n * GDI+ ([CVE-2020-1435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435>))\n * Jet Database Engine ([CVE-2020-1400](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1400>), [CVE-2020-1401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1401>), [CVE-2020-1407](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1407>))\n * LNK ([CVE-2020-1421](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421>))\n * Microsoft Excel ([CVE-2020-1240](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1240>))\n * Microsoft Graphics ([CVE-2020-1408](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1408>))\n * Microsoft Graphics Components ([CVE-2020-1412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1412>))\n * Microsoft Office ([CVE-2020-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1458>))\n * Microsoft Outlook ([CVE-2020-1349](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1349>))\n * Microsoft Project ([CVE-2020-1449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1449>))\n * Microsoft SharePoint ([CVE-2020-1444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1444>))\n * Microsoft Word ([CVE-2020-1446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1446>), [CVE-2020-1447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1447>), [CVE-2020-1448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1448>))\n * PerformancePoint Services ([CVE-2020-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439>))\n * Visual Studio Code ESLint Extention ([CVE-2020-1481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1481>))\n * Windows Address Book ([CVE-2020-1410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410>))\n * Windows Font Driver Host ([CVE-2020-1355](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1355>))\n * Windows Font Library ([CVE-2020-1436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436>))\n\n#### ![]( http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * Bond ([CVE-2020-1469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1469>))\n * Local Security Authority Subsystem Service ([CVE-2020-1267](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1267>))\n * Windows WalletService ([CVE-2020-1364](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1364>))\n\n#### ![]( http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Group Policy Services Policy Processing ([CVE-2020-1333](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1333>))\n * Microsoft Defender ([CVE-2020-1461](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1461>))\n * Microsoft Office ([CVE-2020-1025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1025>))\n * Microsoft OneDrive ([CVE-2020-1465](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1465>))\n * Visual Studio and Visual Studio Code ([CVE-2020-1416](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1416>))\n * Windows ([CVE-2020-1388](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1388>), [CVE-2020-1392](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1392>), [CVE-2020-1394](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1394>), [CVE-2020-1395](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1395>))\n * Windows ALPC ([CVE-2020-1396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1396>))\n * Windows ActiveX Installer Service ([CVE-2020-1402](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1402>))\n * Windows AppX Deployment Extensions ([CVE-2020-1431](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1431>))\n * Windows CNG Key Isolation Service ([CVE-2020-1359](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1359>), [CVE-2020-1384](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1384>))\n * Windows COM Server ([CVE-2020-1375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1375>))\n * Windows Credential Enrollment Manager Service ([CVE-2020-1368](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1368>))\n * Windows Credential Picker ([CVE-2020-1385](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1385>))\n * Windows Diagnostics Hub ([CVE-2020-1393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1393>), [CVE-2020-1418](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1418>))\n * Windows Error Reporting Manager ([CVE-2020-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1429>))\n * Windows Event Logging Service ([CVE-2020-1365](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1365>), [CVE-2020-1371](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1371>))\n * Windows Function Discovery Service ([CVE-2020-1085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1085>))\n * Windows Kernel ([CVE-2020-1336](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1336>), [CVE-2020-1411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1411>))\n * Windows Lockscreen ([CVE-2020-1398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1398>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-1372](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1372>), [CVE-2020-1405](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1405>))\n * Windows Modules Installer ([CVE-2020-1346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1346>))\n * Windows Network Connections Service ([CVE-2020-1373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1373>), [CVE-2020-1390](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1390>), [CVE-2020-1427](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1427>), [CVE-2020-1428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1428>), [CVE-2020-1438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1438>))\n * Windows Network List Service ([CVE-2020-1406](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1406>))\n * Windows Network Location Awareness Service ([CVE-2020-1437](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1437>))\n * Windows Picker Platform ([CVE-2020-1363](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1363>))\n * Windows Print Workflow Service ([CVE-2020-1366](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1366>))\n * Windows Profile Service ([CVE-2020-1360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1360>))\n * Windows Push Notification Service ([CVE-2020-1387](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1387>))\n * Windows SharedStream Library ([CVE-2020-1463](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463>))\n * Windows Storage Services ([CVE-2020-1347](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1347>))\n * Windows Subsystem for Linux ([CVE-2020-1423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1423>))\n * Windows Sync Host Service ([CVE-2020-1434](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1434>))\n * Windows System Events Broker ([CVE-2020-1357](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1357>))\n * Windows UPnP Device Host ([CVE-2020-1354](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1354>), [CVE-2020-1430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1430>))\n * Windows USO Core Worker ([CVE-2020-1352](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1352>))\n * Windows Update Stack ([CVE-2020-1424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1424>))\n * Windows WalletService ([CVE-2020-1344](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1344>), [CVE-2020-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1362>), [CVE-2020-1369](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1369>))\n * Windows iSCSI Target Service ([CVE-2020-1356](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1356>))\n\n#### ![]( http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-1386](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1386>))\n * Microsoft Edge PDF ([CVE-2020-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1433>))\n * Microsoft Graphics Component ([CVE-2020-1351](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1351>))\n * Microsoft Office ([CVE-2020-1342](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1342>), [CVE-2020-1445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1445>))\n * Skype for Business via Internet Explorer ([CVE-2020-1432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1432>))\n * Skype for Business via Microsoft Edge (EdgeHTML-based) ([CVE-2020-1462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1462>))\n * Windows Agent Activation Runtime ([CVE-2020-1391](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1391>))\n * Windows Error Reporting ([CVE-2020-1420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1420>))\n * Windows GDI ([CVE-2020-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1468>))\n * Windows Imaging Component ([CVE-2020-1397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1397>))\n * Windows Kernel ([CVE-2020-1367](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1367>), [CVE-2020-1389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1389>), [CVE-2020-1419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1419>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-1330](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1330>))\n * Windows Resource Policy ([CVE-2020-1358](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1358>))\n * Windows WalletService ([CVE-2020-1361](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1361>))\n\n#### ![]( http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting\n\n * Azure DevOps Server ([CVE-2020-1326](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1326>))\n * Microsoft SharePoint ([CVE-2020-1450](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1450>), [CVE-2020-1451](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1451>), [CVE-2020-1456](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1456>))\n * Microsoft SharePoint Reflective ([CVE-2020-1454](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1454>))\n * Office Web Apps ([CVE-2020-1442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1442>))\n\n#### ![]( http://www.avleonov.com/vulnicons/spoofing.png)Spoofing\n\n * Microsoft SharePoint ([CVE-2020-1443](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1443>))\n\nAmong other vulnerabilities, vulnerability management vendors highlight\n\nRCE in PerformancePoint Services ([CVE-2020-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1439>)). PerformancePoint is a SharePoint component and the vulnerability is similar to the _Exploitation more likely_ SharePoint vulnerability ([CVE-2020-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147>)) we discussed above.\n\nMicrosoft Word RCEs ([CVE-2020-1446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1446>), [CVE-2020-1447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1447>), [CVE-2020-1448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1448>)). Exploitation of this vulnerability requires an attacker to send a specially crafted file to a victim, or to convince a user to visit a crafted website hosting a malicious file which the user must open with a vulnerable version of Microsoft Word. Obviously, this is good for phishing.\n\nJet Database Engine RCEs ([CVE-2020-1400](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1400>), [CVE-2020-1401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1401>), [CVE-2020-1407](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1407>)). To exploit this vulnerability, an attacker must convince a victim to open a specially crafted file or visit a malicious website.\n\nVisual Studio Code ESLint Extention RCE ([CVE-2020-1481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1481>)). To exploit this vulnerability, an attacker would need to convince a user to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute in the context of the current user, with the same rights and permissions.\n\nWindows Modules Installer Elevation of Privilege ([CVE-2020-1346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1346>)) was mentioned by rapid7: "In this particular case, the Servicing Stack Updates released this month should been installed prior to installing the cumulative update/monthly rollup or security update patch. While it was not explicitly outlined, following these directions from Microsoft for CVE-2020-1346 may have a direct impact on the order of operations when resolving other issues such as CVE-2020-1350."\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/BltzY4Fi__s)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-02T04:05:22", "type": "avleonov", "title": "Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1025", "CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1085", "CVE-2020-1147", "CVE-2020-1240", "CVE-2020-1249", "CVE-2020-1267", "CVE-2020-1326", "CVE-2020-1330", "CVE-2020-1333", "CVE-2020-1336", "CVE-2020-1342", "CVE-2020-1344", "CVE-2020-1346", "CVE-2020-1347", "CVE-2020-1349", "CVE-2020-1350", "CVE-2020-1351", "CVE-2020-1352", "CVE-2020-1353", "CVE-2020-1354", "CVE-2020-1355", "CVE-2020-1356", "CVE-2020-1357", "CVE-2020-1358", "CVE-2020-1359", "CVE-2020-1360", "CVE-2020-1361", "CVE-2020-1362", "CVE-2020-1363", "CVE-2020-1364", "CVE-2020-1365", "CVE-2020-1366", "CVE-2020-1367", "CVE-2020-1368", "CVE-2020-1369", "CVE-2020-1370", "CVE-2020-1371", "CVE-2020-1372", "CVE-2020-1373", "CVE-2020-1374", "CVE-2020-1375", "CVE-2020-1381", "CVE-2020-1382", "CVE-2020-1384", "CVE-2020-1385", "CVE-2020-1386", "CVE-2020-1387", "CVE-2020-1388", "CVE-2020-1389", "CVE-2020-1390", "CVE-2020-1391", "CVE-2020-1392", "CVE-2020-1393", "CVE-2020-1394", "CVE-2020-1395", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1398", "CVE-2020-1399", "CVE-2020-1400", "CVE-2020-1401", "CVE-2020-1402", "CVE-2020-1403", "CVE-2020-1404", "CVE-2020-1405", "CVE-2020-1406", "CVE-2020-1407", "CVE-2020-1408", "CVE-2020-1409", "CVE-2020-1410", "CVE-2020-1411", "CVE-2020-1412", "CVE-2020-1413", "CVE-2020-1414", "CVE-2020-1415", "CVE-2020-1416", "CVE-2020-1418", "CVE-2020-1419", "CVE-2020-1420", "CVE-2020-1421", "CVE-2020-1422", "CVE-2020-1423", "CVE-2020-1424", "CVE-2020-1426", "CVE-2020-1427", "CVE-2020-1428", "CVE-2020-1429", "CVE-2020-1430", "CVE-2020-1431", "CVE-2020-1432", "CVE-2020-1433", "CVE-2020-1434", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1437", "CVE-2020-1438", "CVE-2020-1439", "CVE-2020-1442", "CVE-2020-1443", "CVE-2020-1444", "CVE-2020-1445", "CVE-2020-1446", "CVE-2020-1447", "CVE-2020-1448", "CVE-2020-1449", "CVE-2020-1450", "CVE-2020-1451", "CVE-2020-1454", "CVE-2020-1456", "CVE-2020-1458", "CVE-2020-1461", "CVE-2020-1462", "CVE-2020-1463", "CVE-2020-1465", "CVE-2020-1468", "CVE-2020-1469", "CVE-2020-1481"], "modified": "2020-08-02T04:05:22", "id": "AVLEONOV:7DAB33D28205885E8979C4C664958CDC", "href": "http://feedproxy.google.com/~r/avleonov/~3/BltzY4Fi__s/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2023-01-19T18:11:26", "description": "In a sponsored security source code audit, security experts from X41 D-SEC GmbH (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found two notable critical flaws in Git's code. A vulnerability on Git could generally compromise source code repositories and developer systems, but \"wormable\" ones could result in large-scale breaches, according to the high-level [audit report](<https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/>). Microsoft [defines](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) a flaw as \"wormable\" if it doesn't rely on human interaction, instead it allows malware to spread from one vulnerable system to another.\n\nThe two critical flaws, tracked as **[CVE-2022-23521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521>)** and **[CVE-2022-41903](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903>)**, could allow threat actors to potentially run malware after taking advantage of overflow weaknesses in a system's memory.\n\nA total of eight vulnerabilities were found in Git's code. On top of the critical ones we mentioned, the experts also found one rated medium, one high, and four rated low severity. 27 other issues found don't have a direct security impact.\n\nA copy of the full audit report from X41 and GitLab can be found [here](<https://www.x41-dsec.de/static/reports/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf>).\n\n## Recommendation and workaround\n\nThe easiest way to protect against exploits of these critical vulnerabilities is to upgrade to the latest Git release, which is version **[2.39.1](<https://git-scm.com/downloads>)**, as well as [update your GitLab instance](<https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/>) to one of these versions: **15.7.5**, **15.6.6**, and **15.5.9**. \n\n * [How to update GitLab](<https://about.gitlab.com/update/>)\n * [How to update GitLab Runner](<https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner>)\n\nVersion 2.39.1 of Git for Windows also addresses the flaw tracked as [CVE-2022-41953](<https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c>).\n\nThe researchers recommend those using Git continue to use safe wrappers and develop strategies to mitigate common memory safety issues. They also discouraged storing length values to signed integer typed variables.\n\n> \"Introducing generic hardenings such as sanity checks on data input length, and the use of safe wrappers can improve the security of the software in the short term. The usage of signed integer typed variables to store length values should be banned. Additionally, the software could benefit from compiler level checks regarding the use of integer and long variable types for length and size values. Enabling the related compiler warnings during the build process can help identify the issues early in the development process.\"\n\nPer [BleepingComputer](<https://www.bleepingcomputer.com/news/security/git-patches-two-critical-remote-code-execution-security-flaws/>), users who cannot upgrade to address CVE-2022-41903 may want to apply this workaround instead:\n\n * Disable 'git archive' in untrusted repositories or avoid running the command on untrusted repos\n * If 'git archive' is exposed via 'git daemon,' disable it when working with untrusted repositories by running the 'git config --global daemon.uploadArch false' command\n\n## CVE-2022-23521: Truncated Allocation Leading to Out-of-bounds (OOB) Write\n\nAn [OOB Write](<https://cwe.mitre.org/data/definitions/787.html>) occurs when software writes data at the beginning or end of a buffer, resulting to data corruption, a system crash, or code execution. OOB Write is a flaw classed as a heap-based buffer overflow.\n\nThis flaw triggers when Git parses a crafted _.gitattributes_ file that may be part of a commit history, causing multiple integer overflows (also known as wraparounds). This means the program is trying to store a huge value or number more than an integer type can store.\n\nIf this happens, OOB reads and writes can occur, which could then lead to remote code execution.\n\n## CVE-2022-41903: OOB Write in Log Formatting\n\nThis flaw is found in Git's commit-formatting mechanism, which displays arbitrary information on commits. When Git processes a [padding operator](<https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem>), an integer overflow can occur. OOB reads and writes can occur out of the overflow, leading to remote code execution if exploited.\n\nA detailed, technical dive into these vulnerabilities are in the [full audit report](<https://www.x41-dsec.de/static/reports/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf>).\n\n* * *\n\n**We don't just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<https://www.malwarebytes.com/for-home>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-19T04:00:00", "type": "malwarebytes", "title": "Update now! Two critical flaws in Git's code found, patched", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2022-23521", "CVE-2022-41903", "CVE-2022-41953"], "modified": "2023-01-19T04:00:00", "id": "MALWAREBYTES:D8FE6720785E2D0A74968E661F817C57", "href": "https://www.malwarebytes.com/blog/news/2023/01/update-now-two-critical-flaws-in-gits-code-found-patched", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-10-29T14:42:12", "description": "![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/Trick-or-Treat--What-We-Can-Learn-from-the-Spookiest-Vulnerabilities-of-the-Year.jpg)\n\nSpooky season is in full swing, and we\u2019re not just talking about Halloween. [Security vulnerabilities](<https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/>) can range from tiny errors to large-scale gaps in protection, and all have different consequences. We put together a list of some of the scariest vulnerabilities of the year (the tricks!) and the remediation solutions that can help you stay on guard in the future (the treats!).\n\n## [SMBghost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/SMBGhost-1.png)\n\n**The Trick: **SMBghost is a [buffer overflow vulnerability](<https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/>) when compression is enabled in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application. Yikes!\n\nThe impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system-level access in kernel mode. This vulnerability has also been deemed as wormable, which makes it a priority for attackers to utilize.\n\n**The Treat: **Though the attacker value is very high, most [AttackerKB](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>) users have noted that the vuln\u2019s exploitability is relatively low. Microsoft has since released a patch for this vulnerability and suggests that users take proper precaution when enabling compression within SMB. Now, with many knowledge workers still stuck at home thanks to the pandemic, and therefore not spending a lot of time hanging out in SMB-heavy environments, this sequestration might actually be limiting the value of this and other SMB vulnerabilities\u2014maybe working from home might actually be good for security!\n\n## [BlueGate](<https://attackerkb.com/topics/Er1dwnOh2a/windows-remote-desktop-gateway-rce-cve-2020-0609?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/BlueGateway-1.png)\n\n**The Trick: **A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. A ghost-like attacker messing with your data? Pretty spooky.\n\n**The Treat: **This ghost is probably going away with regular and timely security patches. Though it goes against expert advice to deploy right smack on the internet, maintainers of such servers just need to keep up on their patches in the same way a typical IIS administrator does. The Microsoft-issued update addresses the vulnerability by correcting how RD Gateway handles connection requests.\n\n## [Ripple20](<https://attackerkb.com/topics/EZhbaWNnwV/ripple20-treck-tcp-ip-stack-vulnerabilities?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/ripple20-1.png)\n\n**The Trick: **In June, security firm JSOF published research on a collection of 19 vulnerabilities in a low-level TP/IP software library developed by Trek, a company that has distributed embedded internet protocols since the \u201990s. The 19 vulnerabilities \u201caffect hundreds of millions of devices (or more),\u201d thanks to the ripple effect of the supply chain. Consider \u201c19\u201d to be quite the opposite of a magic number. The 19 vulnerabilities are not equal in their severity and potential impact and are likely to persist for some time. \n\n\n**The Treat: **Is there any good news? Well, the practical attacker value of this suite of vulnerabilities is, on the whole, relatively low. This is in large part because of the lack of attack scalability: Each attack will, in all likelihood, need to be tailor-made for the target device, and even the value of targeting specific devices is heavily dependent on device capabilities and the context in which that device is used. The Treck TCP/IP stack is geared toward low-resource devices, which makes the Ripple20 vulnerabilities significantly less likely to be targeted in resource-heavy attacks such as crypto-mining or ransomware campaigns. If users want to change course from a scary ending to a happy one, users are best served by applying detections at the edge and internal network level to filter out malformed TCP/IP packets, IP fragments, and other lesser-used networking features, where possible.\n\n## [Bad Neighbor](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor-ping-of-death-redux>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/bad-neighbor-1.png)\n\n**The Trick:** Bad Neighbor is a remote code execution vulnerability that arises when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client. The vulnerability has garnered broad attention as potentially wormable. This bad neighbor is probably someone who gives out wormable apples instead of candy.\n\n**The Treat: **You can\u2019t call the homeowners association on this one, but we recommend applying the patch for CVE-2020-16898 (Bad Neighbor) as soon as possible. For those who are unable to patch immediately, consider disabling ICMPv6 RDNSS as a workaround.\n\n## [RECON](<https://blog.rapid7.com/2020/07/14/pay-attention-to-your-sap-security/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/recon-1.png)\n\n**The Trick: **This critical [SAP vulnerability (RECON)](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java#rapid7-analysis>) from July affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Though a few months have passed since its publication, it\u2019s still a big deal, especially since exploit code is publicly available. Businesses rely on SAP for a wide variety of processes, capturing everything from financial data to business intelligence. Most organizations use it as a tool to manage compliance and ensure access is provisioned (and, more importantly, deprovisioned) with urgency. The critical component to this vulnerability is that it does not require authentication to exploit, meaning any SAP NetWeaver system with the vulnerable components exposed to the internet\u2014currently estimated to be at least 4,000\u2014can be trivially compromised to wreak havoc on business systems. _So, yeah, this one is big-time scary._\n\n**The Treat:** This trick feels more like a long con. And how do you unravel the layers and remediate a long con? Conversations should begin with IT by identifying which physical or virtual assets are affected. SAP NetWeaver serves as the base layer for many SAP products, so many applications and processes are likely affected. Understanding how many systems you need to apply this patch to will help you begin to communicate estimated downtime to the business. Treating vulnerabilities, especially severe ones like this, is an exercise in diplomacy, politics, and trade-offs. For some, this will require removing SAP\u2019s direct access to the internet. For others, it will require implementing WAF and/or IPS rules. CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity. SAP customers should be on the lookout for unusual processes spawned under the context of users that match the <sid>adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account. For others, it will result in accepting the risk. The key message here is to sit down with all stakeholders, including business leaders, to get on the same page about the severity of this vulnerability, develop and activate a treatment plan, and make sure to have, at a minimum, detective controls in place to respond.\n\n## [SigRed](<https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/sigred-1.png)\n\n**The Trick: **A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. Successful exploitation can result in domain administrator privileges, compromising critical business data, assets, and infrastructure. If that wasn\u2019t scary enough, Homeland Security decided to get involved. The U.S. Department of Homeland Security issued an emergency directive on July 16, 2020 requiring federal agencies to patch or mitigate the vulnerability within 24 hours\u2014only the third time CISA\u2019s current director has taken such an action. As with any vulnerability known to be wormable, CVE-2020-1350, or SigRed, will make an attractive target for ransomware campaigns in addition to stealthier threat actors.\n\n**The Treat: **CISA put out urgent guidance to those who have Windows servers running DNS: patch on an emergency basis. Microsoft released guidance on mitigations for those who cannot patch, but as with other recent high-severity, high-urgency vulnerabilities, it is highly recommended that defenders prioritize patching over mitigation wherever possible. When attacker value is this high, don\u2019t just run for the hills\u2014instead, follow the rules and prioritize patching to keep monsters out of your servers.\n\n## [Curveball](<https://blog.rapid7.com/2020/01/16/cve-2020-0601-windows-cryptoapi-spoofing-vulnerability-what-you-need-to-know/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/curveball-1.png)\n\n**The Trick: **In January,** **a flaw [(CVE-2020-0601 or Curveball)](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-0601>) was found in the way the Microsoft Windows CryptoAPI performs certificate validation, allowing attackers to spoof X.509 vulnerabilities. This is core cryptographic functionality used by a number of different software components, with far-reaching impact ranging from programming languages to web browsers.\n\n**The Treat: **This year started out with a fright, but there are some silver linings. The mitigation steps taken by Microsoft and others (e.g., Google Chrome) to detect and alert users to exploitation attempts are a welcome development for defenders and users. Windows Update services were not affected by this due to extended hardening in years past, showing that defense-in-depth is important for maintaining critical infrastructure. This vulnerability also highlights a specification flaw that software projects should heed: Untested features are likely vulnerable features. Because this vulnerability is in an extremely seldom-used feature of the TLS specification that allows users to specify their own elliptical curves, it meant the feature was largely untested. Vulnerability hunters and defenders may be on the lookout for similar bugs in other TLS implementations in the future.\n\nIt\u2019s Halloween, not April fools, and these vulnerabilities are no joke. As with any security scare, it\u2019s important not only to remediate, but to reflect on what we can learn from these mistakes. If you\u2019re looking for more visibility into which of these vulnerabilities is present in your organization, learn more about [our vulnerability management tool, InsightVM](<https://www.rapid7.com/products/insightvm/>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-29T13:59:06", "type": "rapid7blog", "title": "Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0796", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-6287"], "modified": "2020-10-29T13:59:06", "id": "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "href": "https://blog.rapid7.com/2020/10/29/trick-or-treat-what-we-can-learn-from-the-spookiest-vulnerabilities-of-the-year/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2020-07-16T10:01:23", "description": "**Microsoft** today released updates to plug a whopping 123 security holes in **Windows** and related software, including fixes for a critical, \"wormable\" flaw in **Windows Server** versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July's care package from Redmond has a little something for everyone. So if you're a Windows (ab)user, it's time once again to back up and patch up (preferably in that order).\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/07/cworm.png)Top of the heap this month in terms of outright scariness is [CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>), which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request.\n\nMicrosoft said it is not aware of reports that anyone is exploiting the weakness (yet), but the flaw has been assigned a [CVSS score](<https://www.first.org/cvss/user-guide>) of 10, which translates to \"easy to attack\" and \"likely to be exploited.\"\n\n\"We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction,\" Microsoft wrote in its documentation of CVE-2020-1350. \"DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.\"\n\nCVE-2020-1350 is just the latest worry for enterprise system administrators in charge of patching dangerous bugs in widely-used software. Over the past couple of weeks, fixes for flaws with high severity ratings have been released for a broad array of software products typically used by businesses, [including Citrix, F5, Juniper, Oracle and SAP](<https://www.zdnet.com/article/recon-bug-lets-hackers-create-admin-accounts-on-sap-servers/>). This at a time when many organizations are already short-staffed and dealing with employees working remotely thanks to the COVID-19 pandemic.\n\nThe Windows Server vulnerability isn't the only nasty one addressed this month that malware or malcontents can use to break into systems without any help from users. A full 17 other critical flaws fixed in this release tackle security weaknesses that Microsoft assigned its most dire \"critical\" rating, such as in **Office**, **Internet Exploder**, **SharePoint**, **Visual Studio**, and Microsoft's **.NET Framework**.\n\nSome of the more eyebrow-raising critical bugs addressed this month include [CVE-2020-1410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1410>), which according to **Recorded Future** concerns the Windows Address Book and could be exploited via a malicious vcard file. Then there's [CVE-2020-1421](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1421>), which protects against potentially malicious .LNK files (think [Stuxnet](<https://krebsonsecurity.com/2010/07/microsoft-to-issue-emergency-patch-for-critical-windows-bug/>)) that could be exploited via an infected removable drive or remote share. And we have the dynamic duo of [CVE-2020-1435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1435>) and [CVE-2020-1436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1436>), which involve problems with the way Windows handles images and fonts that could both be exploited to install malware just by getting a user to click a booby-trapped link or document.\n\nNot to say flaws rated \"important\" as opposed to critical aren't also a concern. Chief among those is [CVE-2020-1463](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463>), a problem within **Windows 10** and **Server 2016** or later that was detailed publicly prior to this month's Patch Tuesday.\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for a particular Windows update to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files. Last month's bundle of joy from Microsoft sent my Windows 10 system into a perpetual crash state. Thankfully, I was able to restore from a recent backup.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAlso, keep in mind that Windows 10 is set to apply patches on its own schedule, which means if you delay backing up you could be in for a wild ride. If you wish to ensure the operating system has been set to pause updating so you can back up your files and/or system _before_ the operating system decides to reboot and install patches whenever it sees fit, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on [the AskWoody blog from Woody Leonhard](<https://www.askwoody.com/>), who keeps a reliable lookout for buggy Microsoft updates each month.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T21:45:28", "type": "krebs", "title": "\u2018Wormable\u2019 Flaw Leads July Microsoft Patches", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-1410", "CVE-2020-1421", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1463"], "modified": "2020-07-14T21:45:28", "id": "KREBS:1A886B22AAF8ADC53874F0E126C5A96D", "href": "https://krebsonsecurity.com/2020/07/wormable-flaw-leads-july-microsoft-patches/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2021-03-09T00:00:00", "description": "#### ARCHIVED STORY\n\n# Seven Windows Wonders \u2013 Critical Vulnerabilities in DNS Dynamic Updates\n\nEoin Carroll \u00b7 MAR 09, 2021\n\n## Overview\n\nFor the March 2021 Patch Tuesday, Microsoft released a set of seven DNS vulnerabilities. Five of the vulnerabilities are remote code execution (RCE) with critical CVSS (Common Vulnerability Scoring Standard) scores of 9.8, while the remaining two are denial of service (DoS). Microsoft shared detection guidance and proofs of concept with MAPP members for two of the RCE vulnerabilities, CVE-2021-26877 and CVE-2021-26897, which we have confirmed to be within the DNS Dynamic Zone Update activity. Microsoft subsequently confirmed that all seven of the DNS vulnerabilities are within the Dynamic Zone Update activity.\n\nWe confirmed from our analysis of CVE-2021-26877 and CVE-2021-26897, in addition to further clarification from Microsoft, that none of the five DNS RCE vulnerabilities are wormable.\n\n**RCE vulnerabilities** \nCVE-2021-26877, CVE-2021-26897 (exploitation more likely) \nCVE-2021-26893, CVE-2021-26894, CVE-2021-26895 (exploitation less likely)\n\n**DoS vulnerabilities** \nCVE-2021-26896, CVE-2021-27063 (exploitation less likely)\n\nA critical CVSS score of 9.8 means that an attacker can remotely compromise a DNS server with no authentication or user interaction required. Successful exploitation of these vulnerabilities would lead to RCE on a Primary Authoritative DNS server. While CVSS is a great tool for technical scoring, it needs to be taken in context with your DNS deployment environment to understand your risk which we discuss below.\n\nWe highly recommend you urgently patch your Windows DNS servers if you are using Dynamic Updates. If you cannot patch, we recommend you prioritize evaluating your exposure. In addition, we have developed signatures for CVE-2021-26877 and CVE-2021-26897 which are rated as \u201cexploitation more likely\u201d by Microsoft.\n\n## DNS Dynamic Updates, Threats and Deployment\n\nPer the NIST \u201c[Secure Domain Name System (DNS) Deployment Guide](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf>)\u201d, DNS threats can be divided into Platform and Transaction Threats. The platform threats can be classed as either DNS Host Platform or DNS Software Threats. Per Table 1 below, Dynamic Update is one of the four DNS Transaction types. The seven DNS vulnerabilities are within the Dynamic Update DNS transaction feature of Windows DNS Software.\n\n![Table 1: DNS Transaction Threats and Security Objectives](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-1.jpg)\n\n_Table 1: DNS Transaction Threats and Security Objectives_\n\nThe DNS Dynamic Zone Update feature allows a client to update its Resource Records (RRs) on a Primary DNS Authoritative Server, such as when it changes its IP address; these clients are typically Certificate Authority (CA) and DHCP servers. The Dynamic Zone Update feature can be deployed on a standalone DNS server or an Active Directory (AD) integrated DNS server. Best practice is to deploy DNS integrated with (AD) so it can avail itself of Microsoft security such as Kerberos and GSS-TSIG.\n\nWhen creating a Zone on a DNS server there is an option to enable or disable DNS Dynamic Zone Updates. When DNS is deployed as a standalone server, the Dynamic Zone Update feature is disabled by default but can be enabled in secure/nonsecure mode. When DNS is deployed as AD integrated, the Dynamic Zone Update feature is enabled in secure mode by default.\n\n**Secure Dynamic Zone Update** verifies that all RR updates are digitally signed using GSS-TSIG from a domain-joined machine. In addition, more granular controls can be applied on what principal can perform Dynamic Zone Updates.\n\n**Insecure Dynamic Zone Update** allows any machine to update RRs without any authentication (not recommended).\n\n## Attack Pre-requisites\n\n * AD Integrated DNS Dynamic Updates (default config of secure updates) \n * A DNS server must accept write requests to at least one Zone (typically a primary DNS server only allows Zone RR writes but there are misconfigurations and secondary servers which can negate this)\n * Domain-joined machine\n * Attacker must craft request to DNS server and supply a target Zone in request\n * Standalone DNS Server (secure/nonsecure config) \n * A DNS server must accept write requests to at least one Zone (typically a primary DNS server only allows Zone RR writes but there are misconfigurations and secondary servers which can negate this)\n * Attacker must craft request to DNS server and supply a target Zone in request\n\nFrom a Threat Model perspective, we must consider Threat Actor motives, capabilities, and access/opportunity, so you can understand the risk relative to your environment. We are not aware of any exploitation in the wild of these vulnerabilities so we must focus on the access capabilities, i.e., close the door on the threat actor opportunity. Table 2 summarizes DNS Dynamic Update deployment models relative to the opportunity these RCE vulnerabilities present.\n\n![Table 2: Threat Actor access relative to deployment models and system impact](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-2.jpg)\n\n_Table 2: Threat Actor access relative to deployment models and system impact_\n\nThe highest risk deployment would be a DNS server in Dynamic Update insecure mode exposed to the internet; this is not best security practice and based on our experience, we do not know of a use case for such deployment.\n\nDeploying AD integrated DNS Dynamic Update in secure mode (default) mitigates the risk of an unauthenticated attacker but still has a high risk of a compromised domain computer or trusted insider being able to achieve RCE.\n\n## Vulnerability Analysis\n\nAll the vulnerabilities are related to the processing of Dynamic Update packets in dns.exe. The goal of our vulnerability analysis, as always for critical industry vulnerabilities, is to ensure we can generate accurate signatures to protect our customers.\n\n## Analysis of CVE-2021-26877\n\n * The vulnerability is triggered when a Zone is updated with a TXT RR that has a \u201cTXT length\u201d greater than \u201cData length\u201d per Wireshark below:\n![Figure 1: Wireshark view of exploit packet classifying the DNS packet as malformed](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-3.jpg)\n\n_Figure 1: Wireshark view of exploit packet classifying the DNS packet as malformed_\n\n * The vulnerability is in the File_PlaceStringInFileBuffer() function as you can see from WinDbg output below:\n![\r\nFigure 2: WinDbg output of crash while attached to dns.exe](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-4.jpg)\n\n_ Figure 2: WinDbg output of crash while attached to dns.exe _\n\n * The vulnerability is an Out of bounds (OOB) read on the heap when the \u201cTXT length\u201d field of DNS Dynamic Zone Update is not validated relative to \u201cData length\u201d. This could allow an attacker to read up to 255 bytes of memory. Microsoft states this vulnerability can be used to achieve RCE; this would require a further OOB write primitive.\n * The memory allocation related to the OOB read is created within the CopyWireRead() function. Relevant pseudo code for this function is below:\n![](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-5.jpg)\n\n * The `File_PlaceStringInFileBuffer()` function copies data from `TXT_data` allocated from `CopyWireRead()` function previously. However, the UpdateRR->TXT length value from Wireshark is not validated and used to copy from *UpdateRR->Data length. Because UpdateRR->TXT length is not validated relative to UpdateRR->Data length it results in a OOB read from heap memory.\n\n## Analysis of CVE-2021-26897\n\n * The vulnerability is triggered when many consecutive Signature RRs Dynamic Updates are sent\n * The vulnerability is an OOB write on the heap when combining the many consecutive Signature RR Dynamic Updates into base64-encoded strings before writing to the Zone file\n * Microsoft states this vulnerability can be used to achieve RCE\n![\r\nFigure 3: Packet containing many consecutive Signature RR dynamic updates.](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-4.jpg)\n\n_ Figure 3: Packet containing many consecutive Signature RR dynamic updates. Pay special attention to the length field of the reassembled flow. _\n\n## Exploitability\n\nExploiting these vulnerabilities remotely requires both read and write primitives in addition to bypassing Control Flow Guard (CFG) for execution. The DNS protocol has significant remote unauthenticated attack surface to facilitate generating such primitives which has been researched as part of [CVE-2020-1350 (SigRed).](<https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred>) In addition, per the `RR_DispatchFuncForType()` function, there are read and write functions as part of its dispatch table.\n\n![Figure 4: Path of DNS RR update packet](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-4.jpg)\n\n_Figure 4: Path of DNS RR update packet_\n\n![Figure 5: Dispatch functions for reading and writing](https://www.trellix.com/en-us/img/newsroom/stories/seven-windows-5.jpg)\n\n_Figure 5: Dispatch functions for reading and writing_\n\n## Mitigations\n\nPatching is always the first and most effective course of action. If it\u2019s not possible to patch, the best mitigation is to audit your DNS deployment configuration to limit Dynamic Zone Updates to trusted servers only. For those McAfee customers who are unable to deploy the Windows patch, the following Network Security Platform (NSP) signatures will provide a virtual patch against attempted exploitation of both vulnerabilities, CVE-2021-26877 and CVE-2021-26897. \n\nNSP Attack ID: 0x4030e700 \u2013 DNS: Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877) \nNSP Attack ID: 0x4030e800 \u2013 DNS: Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)\n\nIn addition, NIST \u201c[Secure Domain Name System (DNS) Deployment Guide](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf>)\u201d provides best practices for securing DNS deployment such as:\n\n 1. DNS Primary Server should restrict clients that can update RRs\n 2. Secure Dynamic Update using GSS-TSIG\n 3. Secondary DNS Server Dynamic Update forwarding restrictions using GSS-TSIG\n 4. Fine-grained Dynamic Update restrictions using GSS-TSIG\n", "cvss3": {}, "published": "2021-03-09T00:00:00", "type": "trellix", "title": "Seven Windows Wonders \u2013 Critical Vulnerabilities in DNS Dynamic Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2021-26877", "CVE-2021-26893", "CVE-2021-26894", "CVE-2021-26895", "CVE-2021-26896", "CVE-2021-26897", "CVE-2021-27063"], "modified": "2021-03-09T00:00:00", "id": "TRELLIX:1C43DDFF23D74094DC43986305E2F780", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2023-09-23T07:29:31", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n_**Note**: on October 20, 2020, the National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) providing information on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target computer networks holding sensitive intellectual property, economic, political, and military information. This Alert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see Table 4)._\n\nIn light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation\u2019s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.\n\n 1. **Adopt a state of heightened awareness. **Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.\n 2. **Increase organizational vigilance.** Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.\n 3. **Confirm reporting processes.** Ensure personnel know how and when to report an incident. The well-being of an organization\u2019s workforce and cyber infrastructure depends on awareness of threat activity. Consider [reporting incidents](<https://us-cert.cisa.gov/report>) to CISA to help serve as part of CISA\u2019s early warning system (see the Contact Information section below).\n 4. **Exercise organizational incident response plans.** Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.\n\n### Technical Details\n\n#### China Cyber Threat Profile\n\nChina has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The \u201cMade in China 2025\u201d 10-year plan outlines China\u2019s top-level policy priorities.[[1](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)],[[2](<https://fas.org/sgp/crs/row/IF10964.pdf>)] China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.[[3](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.\n\nThe U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People\u2019s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks\u2013either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.\n\n#### Chinese Cyber Activity\n\nAccording to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.\n\nAdditionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.\n\nPublic reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:\n\n * **February 2013 \u2013 Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China:** a comprehensive report publicly exposed APT1 as part of China\u2019s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[[4](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)] APT1 established access to the victims\u2019 networks and methodically exfiltrated IP across a large range of industries identified in China\u2019s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).[[5](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)]\n * **April 2017 \u2013 Chinese APTs Targeting IP in 12 Countries:** CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.[[6](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)]\n * **December 2018 \u2013 Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs):** DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.[[7](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)] CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.[[8](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)]\n * **February 2020 \u2013 China\u2019s Military Indicted for 2017 Equifax Hack:** DOJ indicted members of China\u2019s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company\u2019s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax\u2019s trade secrets.[[9](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)]\n * **May 2020 \u2013 China Targets COVID-19 Research Organizations:** the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China.[[10](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)] Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.[[11](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)],[[12](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity%20>)]\n\n#### Common TTPs of Publicly Known Chinese Threat Actors\n\nThe section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions. \n\n#### PRE-ATT&CK TTPs\n\nChinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/tactics/TA0015/>)]), staging (_Stage Capabilities_ [[TA0026](<https://attack.mitre.org/tactics/TA0026/>)]), and testing (_Test Capabilities_ [[TA0025](<https://attack.mitre.org/tactics/TA0025/>)]) before executing an attack. PRE-ATT&CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.\n\n_Table 1: Chinese threat actor PRE-ATT&CK techniques_\n\n**Technique** | **Description** \n---|--- \n_Acquire and/or Use 3rd Party Software Services_ [[T1330](<https://attack.mitre.org/techniques/T1330/>)] | Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT \n_Compromise 3rd Party Infrastructure to Support Delivery_ [[T1334](<https://attack.mitre.org/techniques/T1334/>)] | Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure) \n_Domain Registration Hijacking_ [[T1326](<https://attack.mitre.org/techniques/T1326/>)] | Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes \n_Acquire Open-Source Intelligence (OSINT) Data Sets and Information_ [[T1247](<https://attack.mitre.org/techniques/T1247/>)] | Gathering data and information from publicly available sources, including public-facing websites of the target organization \n_Conduct Active Scanning _[[T1254](<https://attack.mitre.org/techniques/T1254/>)] | Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet \n_Analyze Architecture and Configuration Posture _[[T1288](<https://attack.mitre.org/techniques/T1288/>)] | Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks \n_Upload, Install, and Configure Software/Tools_ [[T1362](<https://attack.mitre.org/techniques/T1362>)] | Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access \n \n#### Enterprise ATT&CK TTPs\n\nChinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:\n\n * Cobalt Strike and Beacon\n * Mimikatz\n * PoisonIvy\n * PowerShell Empire\n * China Chopper Web Shell\n\nTable 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&CK framework.\n\n_Table 2: Common Chinese threat actor techniques, detection, and mitigation_\n\n**Technique / Sub-Technique** | **Detection** | **Mitigation** \n---|---|--- \n_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/techniques/T1027/>)] | \n\n * Detect obfuscation by analyzing signatures of modified files.\n * Flag common syntax used in obfuscation.\n| \n\n * Use antivirus/antimalware software to analyze commands after processing. \n_Phishing: Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>)] and _Spearphishing Link _[[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)] | \n\n * Use network intrusion detection systems (NIDS) and email gateways to detect suspicious attachments in email entering the network.\n * Use detonation chambers to inspect email attachments in isolated environments.\n| \n\n * Quarantine suspicious files with antivirus solutions.\n * Use network intrusion prevention systems to scan and remove malicious email attachments.\n * Train users to identify phishing emails and notify IT. \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/techniques/T1016/>)] | \n\n * Monitor for processes and command-line arguments that could be used by an adversary to gather system and network information.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)] | \n\n * Identify normal scripting behavior on the system then monitor processes and command-line arguments for suspicious script execution behavior.\n| \n\n * Only permit execution of signed scripts.\n * Disable any unused shells or interpreters. \n \n_User Execution: Malicious File _[[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>)] | \n\n * Monitor execution of command-line arguments for applications (including compression applications) that may be used by an adversary to execute a user interaction.\n * Set antivirus software to detect malicious documents and files downloaded and installed on endpoints.\n| \n\n * Use execution prevention to prevent the running of executables disguised as other files.\n * Train users to identify phishing attacks and other malicious events that may require user interaction. \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)] | \n\n * Monitor the start folder for additions and changes.\n * Monitor registry for changes to run keys that do not correlate to known patches or software updates.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)] | \n\n * Enable PowerShell logging.\n * Monitor for changes in PowerShell execution policy as a method of identifying malicious use of PowerShell.\n * Monitor for PowerShell execution generally in environments where PowerShell is not typically used.\n| \n\n * Set PowerShell execution policy to execute only signed scripts.\n * Disable PowerShell if not needed by the system.\n * Disable WinRM service to help prevent use of PowerShell for remote execution.\n * Restrict PowerShell execution policy to administrators. \n_Hijack Execution Flow: DLL Side-Loading _[[T1574.002](<https://attack.mitre.org/techniques/T1574/002/>)] | \n\n * Track Dynamic Link Library (DLL) metadata, and compare DLLs that are loaded at process execution time against previous executions to detect usual differences unrelated to patching.\n| \n\n * Use the program `sxstrace.exe` to check manifest files for side-loading vulnerabilities in software.\n * Update software regularly including patches for DLL side-loading vulnerabilities. \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/techniques/T1105/>)] | \n\n * Monitor for unexpected file creation or files transfer into the network from external systems, which may be indicative of attackers staging tools in the compromised environment.\n * Analyze network traffic for unusual data flows (i.e., a client sending much more data than it receives from a server).\n| \n\n * Use network intrusion detection and prevention systems to identify traffic for specific adversary malware or unusual data transfer over protocols such as File Transfer Protocol. \n_Remote System Discovery_ [[T1018](<https://attack.mitre.org/techniques/T1018/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather system and network information.\n * In cloud environments, usage of commands and application program interfaces (APIs) to request information about remote systems combined with additional unexpected commands may be a sign of malicious use.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Software Deployment Tools_ [[T1072](<https://attack.mitre.org/techniques/T1072/>)] | \n\n * Identify the typical use pattern of third-party deployment software, then monitor for irregular deployment activity.\n| \n\n * Isolate critical network systems access using group policies, multi-factor authentication (MFA), and firewalls.\n * Patch deployment systems regularly.\n * Use unique and limited credentials for access to deployment systems. \n_Brute Force: Password Spraying_ [[T1110.003](<https://attack.mitre.org/techniques/T1110/003/>)] | \n\n * Monitor logs for failed authentication attempts to valid accounts.\n| \n\n * Use MFA.\n * Set account lockout policies after a certain number of failed login attempts. \n_Network Service Scanning_ [[T1046](<https://attack.mitre.org/techniques/T1046/>)] | \n\n * Use NIDS to identify scanning activity.\n| \n\n * Close unnecessary ports and services.\n * Segment network to protect critical servers and devices. \n_Email Collection _[[T1114](<https://attack.mitre.org/techniques/T1114/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather local email files.\n| \n\n * Encrypt sensitive emails.\n * Audit auto-forwarding email rules regularly.\n * Use MFA for public-facing webmail servers. \n_Proxy: External Proxy_ [[T1090.002](<https://attack.mitre.org/techniques/T1090/002/>)] | \n\n * Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server.\n| \n\n * Use NIDS and prevention systems to identify traffic for specific adversary malware using network signatures. \n_Drive-by Compromise _[[T1189](<https://attack.mitre.org/techniques/T1189/>)] | \n\n * Use Firewalls and proxies to inspect URLs for potentially known-bad domains or parameters.\n * Monitor network intrusion detection systems (IDS) to detect malicious scripts, and monitor endpoints for abnormal behavior.\n\n| \n\n * Isolate and sandbox impacted systems and applications to restrict the spread of malware.\n * Leverage security applications to identify malicious behavior during exploitation.\n * Restrict web-based content through ad-blockers and script blocking extensions. \n_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)] | \n\n * Analyze authentication logs, files, netflow/enclave netflow, and leverage process monitoring to discover anomalous activity.\n| \n\n * Patch vulnerabilities in internet facing applications.\n * Leverage file integrity monitoring to identify file changes.\n * Configure server to block access to the web accessible directory through principle of least privilege. \n_Application Layer Protocol: File Transfer Protocols _[[T1071.002](<https://attack.mitre.org/techniques/T1071/002/>)] and _DNS_ [[T1071.004](<https://attack.mitre.org/techniques/T1071/004/>)] | \n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.\n| \n\n * Leverage NIDS and NIPS using network signatures to identify traffic for specific adversary malware. \n \n#### Additional APT Activity\n\nThe TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples[[13](<https://www.fireeye.com/current-threats/apt-groups.html>)] include:\n\n * **APT3 **(known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group\u2019s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.[[14](<https://attack.mitre.org/groups/G0022/>)]\n * **APT10 **(known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.\n * **APT19** (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[[15](<https://attack.mitre.org/groups/G0073/>)]\n * **APT40** (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.\n * **APT41 **(known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.[[16](<https://attack.mitre.org/groups/G0096/>)]\n\n### Mitigations\n\n### Recommended Actions\n\nThe following list provides actionable technical recommendations for IT security professionals to reduce their organization\u2019s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders\u2019 attack surface.\n\n 1. **Patch systems and equipment promptly and diligently. **Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities\u2014including CVE-2012-0158 in Microsoft products [[17](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], CVE-2019-19781 in Citrix devices [[18](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)], and CVE-2020-5902 in BIG-IP Traffic Management User Interface [[19](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)]\u2014have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities [[20](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security Agency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.\n\n_Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) | \n\nMicrosoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n\n| \n\n * [Microsoft Security Bulletin MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2019-16920](<https://nvd.nist.gov/vuln/detail/CVE-2019-16920>) | \n\n * D-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825\n| \n\n * [D-Link Security Advisory: DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124>) \n[CVE-2019-16278](<https://nvd.nist.gov/vuln/detail/CVE-2019-16278>) | \n\n * Nostromo 1.9.6 and below\n| \n\n * [Nostromo 1.9.6 Directory Traversal/ Remote Command Execution](<https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html>)\n * [Nostromo 1.9.6 Remote Code Execution](<https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html>) \n \n[CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) \n[CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n \n_Table 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [[21](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)]_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2020-8193](<https://nvd.nist.gov/vuln/detail/CVE-2020-8193>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8195](<https://nvd.nist.gov/vuln/detail/CVE-2020-8195>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8196](<https://nvd.nist.gov/vuln/detail/CVE-2020-8196>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708>) | \n\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0\n * Sentry versions 9.7.2 and earlier, and 9.8.0;\n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1350](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>) | \n\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n[CVE-2020-1040](<https://nvd.nist.gov/vuln/detail/CVE-2020-1040>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>) \n[CVE-2018-6789](<https://nvd.nist.gov/vuln/detail/CVE-2018-6789>) | \n\n * Exim before 4.90.1\n| \n\n * [Exim page for CVE-2020-6789](<https://exim.org/static/doc/security/CVE-2018-6789.txt>)\n * [Exim patch information for CVE-2020-6789](<https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1>) \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n| \n\n * [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2018-4939](<https://nvd.nist.gov/vuln/detail/CVE-2018-4939>) | \n\n * ColdFusion Update 5 and earlier versions\n * ColdFusion 11 Update 13 and earlier versions\n| \n\n * [Adobe Security Bulletin APSB18-14](<https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html>) \n[CVE-2015-4852](<https://nvd.nist.gov/vuln/detail/CVE-2015-4852>) | \n\n * Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0\n| \n\n * [Oracle Critical Patch Update Advisory - October 2016](<https://www.oracle.com/security-alerts/cpuoct2016.html>) \n[CVE-2020-2555](<https://nvd.nist.gov/vuln/detail/CVE-2020-2555>) | \n\n * Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n| \n\n * [Oracle Critical Patch Update Advisory - January 2020](<https://www.oracle.com/security-alerts/cpujan2020.html>) \n[CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) | \n\n * Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2\n| \n\n * [Jira Atlassian Confluence Sever and Data Center: Remote code execution via Widget Connector macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>) \n[CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) | \n\n * Atlassian Crowd and Crowd Data Center from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 before 3.2.8, from version 3.3.0 before 3.3.5, and from version 3.4.0 before 3.4.4\n| \n\n * [Jira Atlassian Crowd: Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) | \n\n * Progress Telerik UI for ASP.NET AJAX through 2019.3.1023\n| \n\n * [Telerik: ASP.NET AJAX: Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n[CVE-2020-0601](<https://nvd.nist.gov/vuln/detail/CVE-2020-0601>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) \n[CVE-2019-0803](<https://nvd.nist.gov/vuln/detail/CVE-2019-0803>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1703 for 32-bit Systems\n * Windows 10 Version 1703 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows 8.1 for 32-bit systems\n * Windows 8.1 for x64-based systems\n * Windows RT 8.1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803>) \n \n[CVE-2017-6327](<https://nvd.nist.gov/vuln/detail/CVE-2017-6327>) | \n\n * Symantec Messaging Gateway before 10.6.3-267\n| \n\n * [Broadcom Security Updates Detial for CVE-2017-6327 and CVE-2017-6328 ](<https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00>) \n[CVE-2020-3118](<https://nvd.nist.gov/vuln/detail/CVE-2020-3118>) | \n\n * ASR 9000 Series Aggregation Services Routers\n * Carrier Routing System (CRS)\n * IOS XRv 9000 Router\n * Network Convergence System (NCS) 540 Series Routers\n * NCS 560 Series Routers\n * NCS 1000 Series Routers\n * NCS 5000 Series Routers\n * NCS 5500 Series Routers\n * NCS 6000 Series Routers\n| \n\n * [Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce>) \n[CVE-2020-8515](<https://nvd.nist.gov/vuln/detail/CVE-2020-8515>) | \n\n * DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices\n| \n\n * [Draytek Security Advisory: Vigor3900 / Vigor2960 / Vigor300B Router Web Management Page Vulnerability (CVE-2020-8515)](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\\(cve-2020-8515\\)/>) \n \n 2. **Implement rigorous configuration management programs. **Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks. \n\n 3. **Disable unnecessary ports, protocols, and services.** Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell). \n\n 4. **Enhance monitoring of network and email traffic.** Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. \n\n 5. **Use protection capabilities to stop malicious activity.** Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>) (UNCLASS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <http://www.us-cert.cisa.gov/>.\n\n### References\n\n[[1] White House Publication: How China\u2019s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World ](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)\n\n[[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress ](<https://fas.org/sgp/crs/row/IF10964.pdf>)\n\n[[3] Council on Foreign Relations: Is \u2018Made in China 2025\u2019 a Threat to Global Trade ](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)\n\n[[4] Mandiant: APT1 Exposing One of China\u2019s Cyber Espionage Units ](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)\n\n[[5] U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)\n\n[[6] CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)\n\n[[7] DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)\n\n[[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)\n\n[[9] DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China\u2019s Military for Hacking into Equifax](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)\n\n[[10] CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations ](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)\n\n[[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)\n\n[[12] CISA Current Activity (CA): Chinese Malicious Cyber Activity](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity>)\n\n[[13] FireEye Advanced Persistent Threat Groups](<https://www.fireeye.com/current-threats/apt-groups.html>)\n\n[[14] MITRE ATT&CK: APT3](<https://attack.mitre.org/groups/G0022/>)\n\n[[15] MITRE ATT&CK: APT19](<https://attack.mitre.org/groups/G0073/>)\n\n[[16] MITRE ATT&CK: APT41](<https://attack.mitre.org/groups/G0096/>)\n\n[[17] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[18] CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n\n[[19] CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)\n\n[[20] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[21] NSA Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n### Revisions\n\nOctober 1, 2020: Initial Version|October 20, 2020: Recommended Actions Section Updated\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-20T12:00:00", "type": "ics", "title": "Potential for China Cyber Response to Heightened U.S.\u2013China Tensions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-4852", "CVE-2017-6327", "CVE-2017-6328", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-16278", "CVE-2019-1652", "CVE-2019-1653", "CVE-2019-16920", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1040", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-6789", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-20T12:00:00", "id": "AA20-275A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T19:50:57", "description": "This host is missing a critical security\n update according to Microsoft KB4565536", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565536)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1371", "CVE-2020-1350", "CVE-2020-1468", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1389", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1427", "CVE-2020-1267", "CVE-2020-1430", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1400", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817232", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817232\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1267\", \"CVE-2020-1333\", \"CVE-2020-1350\",\n \"CVE-2020-1354\", \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1365\",\n \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1384\", \"CVE-2020-1389\",\n \"CVE-2020-1390\", \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1400\",\n \"CVE-2020-1401\", \"CVE-2020-1403\", \"CVE-2020-1407\", \"CVE-2020-1408\",\n \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1412\", \"CVE-2020-1419\",\n \"CVE-2020-1421\", \"CVE-2020-1427\", \"CVE-2020-1428\", \"CVE-2020-1430\",\n \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\",\n \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 20:23:57 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565536)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565536\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - DirectWrite fails to properly handle objects in memory.\n\n - Windows Address Book (WAB) fails to properly processes vcard files.\n\n - Windows Graphics Device Interface (GDI) fails to properly handle\n objects in the memory.\n\n - Windows Network Connections Service fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2\n\n - Microsoft Windows Server 2008 for x64-based Systems Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565536\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"5.2.6003.20883\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.6003.20883\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:37", "description": "This host is missing a critical security\n update according to Microsoft KB4565524", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565524)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1402", "CVE-2020-1371", "CVE-2020-1350", "CVE-2020-1468", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1389", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1427", "CVE-2020-1267", "CVE-2020-1430", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1400", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817230", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817230\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1267\", \"CVE-2020-1333\", \"CVE-2020-1350\",\n \"CVE-2020-1351\", \"CVE-2020-1354\", \"CVE-2020-1359\", \"CVE-2020-1360\",\n \"CVE-2020-1365\", \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1374\",\n \"CVE-2020-1384\", \"CVE-2020-1389\", \"CVE-2020-1390\", \"CVE-2020-1396\",\n \"CVE-2020-1397\", \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\",\n \"CVE-2020-1403\", \"CVE-2020-1407\", \"CVE-2020-1408\", \"CVE-2020-1409\",\n \"CVE-2020-1410\", \"CVE-2020-1412\", \"CVE-2020-1419\", \"CVE-2020-1421\",\n \"CVE-2020-1427\", \"CVE-2020-1428\", \"CVE-2020-1430\", \"CVE-2020-1432\",\n \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\",\n \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 18:26:24 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565524)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565524\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows Event Logging Service fails to properly handle memory.\n\n - Windows Network Location Awareness Service fails to properly\n handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - Windows Cryptography Next Generation (CNG) Key Isolation service\n fails to properly handle memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows 7 for x64-based Systems Service Pack 1\n\n - Microsoft Windows 7 for 32-bit Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565524\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008r2:2, win2012:1, win7x64:2, win7:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"5.2.7601.24557\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.7601.24557\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:31", "description": "This host is missing a critical security\n update according to Microsoft KB4565541", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565541)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1350", "CVE-2020-1468", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1389", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1427", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1400", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817231", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817231\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\", \"CVE-2020-1333\",\n \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1354\", \"CVE-2020-1356\",\n \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1365\", \"CVE-2020-1368\",\n \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1374\", \"CVE-2020-1384\",\n \"CVE-2020-1385\", \"CVE-2020-1389\", \"CVE-2020-1390\", \"CVE-2020-1396\",\n \"CVE-2020-1397\", \"CVE-2020-1399\", \"CVE-2020-1400\", \"CVE-2020-1401\",\n \"CVE-2020-1402\", \"CVE-2020-1403\", \"CVE-2020-1406\", \"CVE-2020-1407\",\n \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1412\",\n \"CVE-2020-1419\", \"CVE-2020-1421\", \"CVE-2020-1427\", \"CVE-2020-1428\",\n \"CVE-2020-1430\", \"CVE-2020-1432\", \"CVE-2020-1435\", \"CVE-2020-1436\",\n \"CVE-2020-1437\", \"CVE-2020-1438\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 19:22:27 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565541)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565541\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - DirectWrite fails to properly handle objects in memory.\n\n - Windows Address Book (WAB) fails to properly processes vcard files.\n\n - Windows Graphics Device Interface (GDI) fails to properly handle\n objects in the memory.\n\n - Windows Network Connections Service fails to handle objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 32-bit Systems\n\n - Microsoft Windows 8.1 for x64-based Systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565541\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19756\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19756\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:39", "description": "This host is missing a critical security\n update according to Microsoft KB4565511", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565511)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1344", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1436", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1468", "CVE-2020-1370", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1388", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1147", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817226", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817226", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817226\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1147\", \"CVE-2020-1249\", \"CVE-2020-1267\",\n \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\", \"CVE-2020-1350\",\n \"CVE-2020-1351\", \"CVE-2020-1352\", \"CVE-2020-1353\", \"CVE-2020-1354\",\n \"CVE-2020-1356\", \"CVE-2020-1357\", \"CVE-2020-1358\", \"CVE-2020-1359\",\n \"CVE-2020-1360\", \"CVE-2020-1361\", \"CVE-2020-1362\", \"CVE-2020-1364\",\n \"CVE-2020-1365\", \"CVE-2020-1368\", \"CVE-2020-1369\", \"CVE-2020-1370\",\n \"CVE-2020-1371\", \"CVE-2020-1373\", \"CVE-2020-1374\", \"CVE-2020-1384\",\n \"CVE-2020-1385\", \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\",\n \"CVE-2020-1393\", \"CVE-2020-1395\", \"CVE-2020-1396\", \"CVE-2020-1397\",\n \"CVE-2020-1398\", \"CVE-2020-1399\", \"CVE-2020-1400\", \"CVE-2020-1401\",\n \"CVE-2020-1402\", \"CVE-2020-1403\", \"CVE-2020-1404\", \"CVE-2020-1406\",\n \"CVE-2020-1407\", \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\",\n \"CVE-2020-1411\", \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1419\",\n \"CVE-2020-1420\", \"CVE-2020-1421\", \"CVE-2020-1427\", \"CVE-2020-1428\",\n \"CVE-2020-1429\", \"CVE-2020-1430\", \"CVE-2020-1432\", \"CVE-2020-1433\",\n \"CVE-2020-1434\", \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\",\n \"CVE-2020-1438\", \"CVE-2020-1462\", \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 15:23:26 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565511)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565511\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Runtime fails to properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1607 for x64-based Systems\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565511\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3807\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3807\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:36", "description": "This host is missing a critical security\n update according to Microsoft KB4558998", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4558998)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1367", "CVE-2020-1330", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1372", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1392", "CVE-2020-1405", "CVE-2020-1344", "CVE-2020-1414", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1415", "CVE-2020-1436", "CVE-2020-1375", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1386", "CVE-2020-1468", "CVE-2020-1422", "CVE-2020-1370", "CVE-2020-1347", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1418", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1431", "CVE-2020-1388", "CVE-2020-1426", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1363", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1394", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1366", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1424", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1387", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817228", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817228", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817228\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\", \"CVE-2020-1330\",\n \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\", \"CVE-2020-1347\",\n \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1352\", \"CVE-2020-1353\",\n \"CVE-2020-1354\", \"CVE-2020-1356\", \"CVE-2020-1357\", \"CVE-2020-1358\",\n \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1361\", \"CVE-2020-1362\",\n \"CVE-2020-1363\", \"CVE-2020-1364\", \"CVE-2020-1365\", \"CVE-2020-1366\",\n \"CVE-2020-1367\", \"CVE-2020-1368\", \"CVE-2020-1369\", \"CVE-2020-1370\",\n \"CVE-2020-1371\", \"CVE-2020-1372\", \"CVE-2020-1373\", \"CVE-2020-1374\",\n \"CVE-2020-1375\", \"CVE-2020-1384\", \"CVE-2020-1385\", \"CVE-2020-1386\",\n \"CVE-2020-1387\", \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\",\n \"CVE-2020-1392\", \"CVE-2020-1393\", \"CVE-2020-1394\", \"CVE-2020-1395\",\n \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1398\", \"CVE-2020-1399\",\n \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\", \"CVE-2020-1403\",\n \"CVE-2020-1404\", \"CVE-2020-1405\", \"CVE-2020-1406\", \"CVE-2020-1407\",\n \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1411\",\n \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1414\", \"CVE-2020-1415\",\n \"CVE-2020-1418\", \"CVE-2020-1419\", \"CVE-2020-1420\", \"CVE-2020-1421\",\n \"CVE-2020-1422\", \"CVE-2020-1424\", \"CVE-2020-1426\", \"CVE-2020-1427\",\n \"CVE-2020-1428\", \"CVE-2020-1429\", \"CVE-2020-1430\", \"CVE-2020-1431\",\n \"CVE-2020-1432\", \"CVE-2020-1433\", \"CVE-2020-1434\", \"CVE-2020-1435\",\n \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\", \"CVE-2020-1462\",\n \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 17:15:21 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4558998)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4558998\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Mobile Device Management (MDM) Diagnostics fails to\n properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4558998\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.17763.0\", test_version2:\"10.0.17763.1338\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.17763.0 - 10.0.17763.1338\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:51:32", "description": "This host is missing a critical security\n update according to Microsoft KB4565503", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565503)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1382", "CVE-2020-1367", "CVE-2020-1330", "CVE-2019-1469", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1372", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1392", "CVE-2020-1405", "CVE-2020-1344", "CVE-2020-1414", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1355", "CVE-2020-1415", "CVE-2020-1436", "CVE-2020-1375", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1391", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1386", "CVE-2020-1468", "CVE-2020-1422", "CVE-2020-1370", "CVE-2020-1347", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1418", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1431", "CVE-2020-1388", "CVE-2020-1423", "CVE-2020-1426", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1363", "CVE-2020-1381", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1394", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1366", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1424", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1387", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817224", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817224", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817224\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2019-1469\", \"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\",\n \"CVE-2020-1330\", \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\",\n \"CVE-2020-1347\", \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1352\",\n \"CVE-2020-1353\", \"CVE-2020-1354\", \"CVE-2020-1355\", \"CVE-2020-1356\",\n \"CVE-2020-1357\", \"CVE-2020-1358\", \"CVE-2020-1359\", \"CVE-2020-1360\",\n \"CVE-2020-1361\", \"CVE-2020-1362\", \"CVE-2020-1363\", \"CVE-2020-1364\",\n \"CVE-2020-1365\", \"CVE-2020-1366\", \"CVE-2020-1367\", \"CVE-2020-1368\",\n \"CVE-2020-1369\", \"CVE-2020-1370\", \"CVE-2020-1371\", \"CVE-2020-1372\",\n \"CVE-2020-1373\", \"CVE-2020-1374\", \"CVE-2020-1375\", \"CVE-2020-1381\",\n \"CVE-2020-1382\", \"CVE-2020-1384\", \"CVE-2020-1385\", \"CVE-2020-1386\",\n \"CVE-2020-1387\", \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\",\n \"CVE-2020-1391\", \"CVE-2020-1392\", \"CVE-2020-1393\", \"CVE-2020-1394\",\n \"CVE-2020-1395\", \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1398\",\n \"CVE-2020-1399\", \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\",\n \"CVE-2020-1403\", \"CVE-2020-1404\", \"CVE-2020-1405\", \"CVE-2020-1406\",\n \"CVE-2020-1407\", \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\",\n \"CVE-2020-1411\", \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1414\",\n \"CVE-2020-1415\", \"CVE-2020-1418\", \"CVE-2020-1419\", \"CVE-2020-1420\",\n \"CVE-2020-1421\", \"CVE-2020-1422\", \"CVE-2020-1423\", \"CVE-2020-1424\",\n \"CVE-2020-1426\", \"CVE-2020-1427\", \"CVE-2020-1428\", \"CVE-2020-1429\",\n \"CVE-2020-1430\", \"CVE-2020-1431\", \"CVE-2020-1432\", \"CVE-2020-1433\",\n \"CVE-2020-1434\", \"CVE-2020-1435\", \"CVE-2020-1436\", \"CVE-2020-1437\",\n \"CVE-2020-1438\", \"CVE-2020-1462\", \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 12:33:34 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565503)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565503\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Mobile Device Management (MDM) Diagnostics fails to\n properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 2004 for 32-bit Systems\n\n - Microsoft Windows 10 Version 2004 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565503\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.19041.0\", test_version2:\"10.0.19041.387\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.19041.0 - 10.0.19041.387\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T19:50:57", "description": "This host is missing a critical security\n update according to Microsoft KB4565483", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4565483)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1373", "CVE-2020-1382", "CVE-2020-1367", "CVE-2020-1330", "CVE-2020-1354", "CVE-2020-1438", "CVE-2020-1404", "CVE-2020-1432", "CVE-2020-1401", "CVE-2020-1372", "CVE-2020-1403", "CVE-2020-1420", "CVE-2020-1413", "CVE-2020-1392", "CVE-2020-1405", "CVE-2020-1344", "CVE-2020-1414", "CVE-2020-1433", "CVE-2020-1353", "CVE-2020-1355", "CVE-2020-1415", "CVE-2020-1436", "CVE-2020-1375", "CVE-2020-1085", "CVE-2020-1390", "CVE-2020-1358", "CVE-2020-1402", "CVE-2020-1406", "CVE-2020-1371", "CVE-2020-1352", "CVE-2020-1350", "CVE-2020-1391", "CVE-2020-1411", "CVE-2020-1393", "CVE-2020-1386", "CVE-2020-1468", "CVE-2020-1422", "CVE-2020-1370", "CVE-2020-1347", "CVE-2020-1360", "CVE-2020-1419", "CVE-2020-1333", "CVE-2020-1356", "CVE-2020-1336", "CVE-2020-1389", "CVE-2020-1418", "CVE-2020-1385", "CVE-2020-1396", "CVE-2020-1362", "CVE-2020-1431", "CVE-2020-1388", "CVE-2020-1426", "CVE-2020-1397", "CVE-2020-1407", "CVE-2020-1384", "CVE-2020-1463", "CVE-2020-1427", "CVE-2020-1363", "CVE-2020-1381", "CVE-2020-1395", "CVE-2020-1267", "CVE-2020-1399", "CVE-2020-1368", "CVE-2020-1249", "CVE-2020-1430", "CVE-2020-1357", "CVE-2020-1412", "CVE-2020-1409", "CVE-2020-1462", "CVE-2020-1374", "CVE-2020-1421", "CVE-2020-1365", "CVE-2020-1435", "CVE-2020-1369", "CVE-2020-1408", "CVE-2020-1394", "CVE-2020-1437", "CVE-2020-1434", "CVE-2020-1366", "CVE-2020-1361", "CVE-2020-1400", "CVE-2020-1398", "CVE-2020-1359", "CVE-2020-1424", "CVE-2020-1428", "CVE-2020-1351", "CVE-2020-1429", "CVE-2020-1364", "CVE-2020-1387", "CVE-2020-1410"], "modified": "2020-07-20T00:00:00", "id": "OPENVAS:1361412562310817088", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817088", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817088\");\n script_version(\"2020-07-20T05:00:04+0000\");\n script_cve_id(\"CVE-2020-1085\", \"CVE-2020-1249\", \"CVE-2020-1267\", \"CVE-2020-1330\",\n \"CVE-2020-1333\", \"CVE-2020-1336\", \"CVE-2020-1344\", \"CVE-2020-1347\",\n \"CVE-2020-1350\", \"CVE-2020-1351\", \"CVE-2020-1352\", \"CVE-2020-1353\",\n \"CVE-2020-1354\", \"CVE-2020-1355\", \"CVE-2020-1356\", \"CVE-2020-1357\",\n \"CVE-2020-1358\", \"CVE-2020-1359\", \"CVE-2020-1360\", \"CVE-2020-1361\",\n \"CVE-2020-1362\", \"CVE-2020-1363\", \"CVE-2020-1364\", \"CVE-2020-1365\",\n \"CVE-2020-1366\", \"CVE-2020-1367\", \"CVE-2020-1368\", \"CVE-2020-1369\",\n \"CVE-2020-1370\", \"CVE-2020-1371\", \"CVE-2020-1372\", \"CVE-2020-1373\",\n \"CVE-2020-1374\", \"CVE-2020-1375\", \"CVE-2020-1381\", \"CVE-2020-1382\",\n \"CVE-2020-1384\", \"CVE-2020-1385\", \"CVE-2020-1386\", \"CVE-2020-1387\",\n \"CVE-2020-1388\", \"CVE-2020-1389\", \"CVE-2020-1390\", \"CVE-2020-1391\",\n \"CVE-2020-1392\", \"CVE-2020-1393\", \"CVE-2020-1394\", \"CVE-2020-1395\",\n \"CVE-2020-1396\", \"CVE-2020-1397\", \"CVE-2020-1398\", \"CVE-2020-1399\",\n \"CVE-2020-1400\", \"CVE-2020-1401\", \"CVE-2020-1402\", \"CVE-2020-1403\",\n \"CVE-2020-1404\", \"CVE-2020-1405\", \"CVE-2020-1406\", \"CVE-2020-1407\",\n \"CVE-2020-1408\", \"CVE-2020-1409\", \"CVE-2020-1410\", \"CVE-2020-1411\",\n \"CVE-2020-1412\", \"CVE-2020-1413\", \"CVE-2020-1414\", \"CVE-2020-1415\",\n \"CVE-2020-1418\", \"CVE-2020-1419\", \"CVE-2020-1420\", \"CVE-2020-1421\",\n \"CVE-2020-1422\", \"CVE-2020-1424\", \"CVE-2020-1426\", \"CVE-2020-1427\",\n \"CVE-2020-1428\", \"CVE-2020-1429\", \"CVE-2020-1430\", \"CVE-2020-1431\",\n \"CVE-2020-1432\", \"CVE-2020-1433\", \"CVE-2020-1434\", \"CVE-2020-1435\",\n \"CVE-2020-1436\", \"CVE-2020-1437\", \"CVE-2020-1438\", \"CVE-2020-1462\",\n \"CVE-2020-1463\", \"CVE-2020-1468\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-20 05:00:04 +0000 (Mon, 20 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 14:47:24 +0530 (Wed, 15 Jul 2020)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4565483)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4565483\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows Domain Name System servers fail to properly handle requests (SIGRed, CVE-2020-1350).\n\n - Windows System Events Broker fails to properly handle file operations.\n\n - Windows WalletService fails to properly handle objects in memory.\n\n - Windows Mobile Device Management (MDM) Diagnostics fails to\n properly handle objects in memory.\n\n - Windows Jet Database Engine fails to properly handle objects in memory.\n\n - Windows Network Connections Service fails to properly handle\n objects in memory.\n\n - SharedStream Library fails to handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privilges, disclose sensitive information\n and denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1909 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1903 for x64-based Systems\n\n - Microsoft Windows 10 Version 1909 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4565483\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0)\n exit(0);\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Gdiplus.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_in_range(version:fileVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.959\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Gdiplus.dll\",\n file_version:fileVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.959\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-06-06T15:24:16", "description": "### *Detect date*:\n07/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nInternet Explorer 11 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nMicrosoft Office 2019 for Mac \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nMicrosoft Office 2016 for Mac \nWindows Server 2019 \nInternet Explorer 9 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1333>) \n[CVE-2020-1384](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1384>) \n[CVE-2020-1346](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1346>) \n[CVE-2020-1389](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1389>) \n[CVE-2020-1032](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1032>) \n[CVE-2020-1036](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1036>) \n[CVE-2020-1360](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1360>) \n[CVE-2020-1267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1267>) \n[CVE-2020-1365](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1365>) \n[CVE-2020-1354](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1354>) \n[CVE-2020-1419](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1419>) \n[CVE-2020-1438](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1438>) \n[CVE-2020-1435](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1435>) \n[CVE-2020-1412](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1412>) \n[CVE-2020-1437](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1437>) \n[CVE-2020-1436](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1436>) \n[CVE-2020-1430](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1430>) \n[CVE-2020-1428](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1428>) \n[CVE-2020-1396](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1396>) \n[CVE-2020-1397](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1397>) \n[CVE-2020-1390](<https://nvd.nist.gov/vuln/detail/CVE-2020-1390>) \n[CVE-2020-1359](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1359>) \n[CVE-2020-1371](<https://nvd.nist.gov/vuln/detail/CVE-2020-1371>) \n[CVE-2020-1350](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1350>) \n[CVE-2020-1351](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1351>) \n[CVE-2020-1040](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1040>) \n[CVE-2020-1041](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1041>) \n[CVE-2020-1042](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1042>) \n[CVE-2020-1043](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1043>) \n[CVE-2020-1373](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1373>) \n[CVE-2020-1410](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1410>) \n[CVE-2020-1374](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1374>) \n[CVE-2020-1085](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1085>) \n[CVE-2020-1407](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1407>) \n[CVE-2020-1400](<https://nvd.nist.gov/vuln/detail/CVE-2020-1400>) \n[CVE-2020-1401](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1401>) \n[CVE-2020-1402](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1402>) \n[CVE-2020-1403](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1403>) \n[CVE-2020-1427](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1427>) \n[CVE-2020-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1468>) \n[CVE-2020-1408](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1408>) \n[CVE-2020-1409](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1409>) \n[CVE-2020-1421](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1421>) \n[ADV200008](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV200008>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2020-1403](<https://vulners.com/cve/CVE-2020-1403>)7.6Critical \n[CVE-2020-1333](<https://vulners.com/cve/CVE-2020-1333>)3.7Warning \n[CVE-2020-1384](<https://vulners.com/cve/CVE-2020-1384>)4.6Warning \n[CVE-2020-1346](<https://vulners.com/cve/CVE-2020-1346>)4.6Warning \n[CVE-2020-1389](<https://vulners.com/cve/CVE-2020-1389>)2.1Warning \n[CVE-2020-1032](<https://vulners.com/cve/CVE-2020-1032>)7.7Critical \n[CVE-2020-1036](<https://vulners.com/cve/CVE-2020-1036>)7.7Critical \n[CVE-2020-1360](<https://vulners.com/cve/CVE-2020-1360>)4.6Warning \n[CVE-2020-1267](<https://vulners.com/cve/CVE-2020-1267>)4.0Warning \n[CVE-2020-1365](<https://vulners.com/cve/CVE-2020-1365>)4.6Warning \n[CVE-2020-1354](<https://vulners.com/cve/CVE-2020-1354>)4.6Warning \n[CVE-2020-1419](<https://vulners.com/cve/CVE-2020-1419>)2.1Warning \n[CVE-2020-1438](<https://vulners.com/cve/CVE-2020-1438>)4.6Warning \n[CVE-2020-1435](<https://vulners.com/cve/CVE-2020-1435>)9.3Critical \n[CVE-2020-1412](<https://vulners.com/cve/CVE-2020-1412>)9.3Critical \n[CVE-2020-1437](<https://vulners.com/cve/CVE-2020-1437>)4.6Warning \n[CVE-2020-1436](<https://vulners.com/cve/CVE-2020-1436>)6.8High \n[CVE-2020-1430](<https://vulners.com/cve/CVE-2020-1430>)4.6Warning \n[CVE-2020-1428](<https://vulners.com/cve/CVE-2020-1428>)4.6Warning \n[CVE-2020-1396](<https://vulners.com/cve/CVE-2020-1396>)4.6Warning \n[CVE-2020-1397](<https://vulners.com/cve/CVE-2020-1397>)4.3Warning \n[CVE-2020-1390](<https://vulners.com/cve/CVE-2020-1390>)4.6Warning \n[CVE-2020-1359](<https://vulners.com/cve/CVE-2020-1359>)4.6Warning \n[CVE-2020-1371](<https://vulners.com/cve/CVE-2020-1371>)4.6Warning \n[CVE-2020-1351](<https://vulners.com/cve/CVE-2020-1351>)2.1Warning \n[CVE-2020-1040](<https://vulners.com/cve/CVE-2020-1040>)7.7Critical \n[CVE-2020-1041](<https://vulners.com/cve/CVE-2020-1041>)7.7Critical \n[CVE-2020-1042](<https://vulners.com/cve/CVE-2020-1042>)7.7Critical \n[CVE-2020-1043](<https://vulners.com/cve/CVE-2020-1043>)7.7Critical \n[CVE-2020-1373](<https://vulners.com/cve/CVE-2020-1373>)4.6Warning \n[CVE-2020-1410](<https://vulners.com/cve/CVE-2020-1410>)9.3Critical \n[CVE-2020-1374](<https://vulners.com/cve/CVE-2020-1374>)5.1High \n[CVE-2020-1085](<https://vulners.com/cve/CVE-2020-1085>)4.6Warning \n[CVE-2020-1407](<https://vulners.com/cve/CVE-2020-1407>)9.3Critical \n[CVE-2020-1400](<https://vulners.com/cve/CVE-2020-1400>)9.3Critical \n[CVE-2020-1401](<https://vulners.com/cve/CVE-2020-1401>)9.3Critical \n[CVE-2020-1402](<https://vulners.com/cve/CVE-2020-1402>)7.2High \n[CVE-2020-1427](<https://vulners.com/cve/CVE-2020-1427>)4.6Warning \n[CVE-2020-1468](<https://vulners.com/cve/CVE-2020-1468>)4.3Warning \n[CVE-2020-1408](<https://vulners.com/cve/CVE-2020-1408>)9.3Critical \n[CVE-2020-1409](<https://vulners.com/cve/CVE-2020-1409>)9.3Critical \n[CVE-2020-1421](<https://vulners.com/cve/CVE-2020-1421>)9.3Critical\n\n### *KB list*:\n[4565524](<http://support.microsoft.com/kb/4565524>) \n[4565479](<http://support.microsoft.com/kb/4565479>) \n[4565529](<http://support.microsoft.com/kb/4565529>) \n[4565539](<http://support.microsoft.com/kb/4565539>) \n[4565353](<http://support.microsoft.com/kb/4565353>) \n[4565354](<http://support.microsoft.com/kb/4565354>) \n[4565536](<http://support.microsoft.com/kb/4565536>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "kaspersky", "title": "KLA11863 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1085", "CVE-2020-1267", "CVE-2020-1333", "CVE-2020-1346", "CVE-2020-1350", "CVE-2020-1351", "CVE-2020-1354", "CVE-2020-1359", "CVE-2020-1360", "CVE-2020-1365", "CVE-2020-1371", "CVE-2020-1373", "CVE-2020-1374", "CVE-2020-1384", "CVE-2020-1389", "CVE-2020-1390", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1400", "CVE-2020-1401", "CVE-2020-1402", "CVE-2020-1403", "CVE-2020-1407", "CVE-2020-1408", "CVE-2020-1409", "CVE-2020-1410", "CVE-2020-1412", "CVE-2020-1419", "CVE-2020-1421", "CVE-2020-1427", "CVE-2020-1428", "CVE-2020-1430", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1437", "CVE-2020-1438", "CVE-2020-1468"], "modified": "2020-07-22T00:00:00", "id": "KLA11863", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11863/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:24:15", "description": "### *Detect date*:\n07/14/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for x64-based systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1347](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1347>) \n[CVE-2020-1346](<https://nvd.nist.gov/vuln/detail/CVE-2020-1346>) \n[CVE-2020-1344](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1344>) \n[CVE-2020-1267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1267>) \n[CVE-2020-1419](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1419>) \n[CVE-2020-1418](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1418>) \n[CVE-2020-1413](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1413>) \n[CVE-2020-1412](<https://nvd.nist.gov/vuln/detail/CVE-2020-1412>) \n[CVE-2020-1411](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1411>) \n[CVE-2020-1410](<https://nvd.nist.gov/vuln/detail/CVE-2020-1410>) \n[CVE-2020-1415](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1415>) \n[CVE-2020-1414](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1414>) \n[CVE-2020-1358](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1358>) \n[CVE-2020-1359](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1359>) \n[CVE-2020-1350](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1350>) \n[CVE-2020-1351](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1351>) \n[CVE-2020-1352](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1352>) \n[CVE-2020-1353](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1353>) \n[CVE-2020-1354](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1354>) \n[CVE-2020-1355](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1355>) \n[CVE-2020-1356](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1356>) \n[CVE-2020-1357](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1357>) \n[CVE-2020-1085](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1085>) \n[CVE-2020-1404](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1404>) \n[CVE-2020-1405](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1405>) \n[CVE-2020-1406](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1406>) \n[CVE-2020-1407](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1407>) \n[CVE-2020-1400](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1400>) \n[CVE-2020-1401](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1401>) \n[CVE-2020-1402](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1402>) \n[CVE-2020-1408](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1408>) \n[CVE-2020-1409](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1409>) \n[CVE-2020-1336](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1336>) \n[CVE-2020-1333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1333>) \n[CVE-2020-1330](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1330>) \n[CVE-2020-1463](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1463>) \n[CVE-2020-1468](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1468>) \n[CVE-2020-1382](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1382>) \n[CVE-2020-1381](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1381>) \n[CVE-2020-1387](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1387>) \n[CVE-2020-1386](<https://nvd.nist.gov/vuln/detail/CVE-2020-1386>) \n[CVE-2020-1385](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1385>) \n[CVE-2020-1384](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1384>) \n[CVE-2020-1389](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1389>) \n[CVE-2020-1388](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1388>) \n[CVE-2020-1398](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1398>) \n[CVE-2020-1399](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1399>) \n[CVE-2020-1394](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1394>) \n[CVE-2020-1395](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1395>) \n[CVE-2020-1396](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1396>) \n[CVE-2020-1397](<https://nvd.nist.gov/vuln/detail/CVE-2020-1397>) \n[CVE-2020-1390](<https://nvd.nist.gov/vuln/detail/CVE-2020-1390>) \n[CVE-2020-1391](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1391>) \n[CVE-2020-1392](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1392>) \n[CVE-2020-1393](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1393>) \n[CVE-2020-1040](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1040>) \n[CVE-2020-1041](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1041>) \n[CVE-2020-1042](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1042>) \n[CVE-2020-1043](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1043>) \n[CVE-2020-1032](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1032>) \n[CVE-2020-1036](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1036>) \n[CVE-2020-1361](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1361>) \n[CVE-2020-1360](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1360>) \n[CVE-2020-1363](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1363>) \n[CVE-2020-1362](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1362>) \n[CVE-2020-1365](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1365>) \n[CVE-2020-1364](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1364>) \n[CVE-2020-1367](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1367>) \n[CVE-2020-1366](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1366>) \n[CVE-2020-1369](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1369>) \n[CVE-2020-1368](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1368>) \n[CVE-2020-1438](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1438>) \n[CVE-2020-1435](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1435>) \n[CVE-2020-1434](<https://nvd.nist.gov/vuln/detail/CVE-2020-1434>) \n[CVE-2020-1437](<https://nvd.nist.gov/vuln/detail/CVE-2020-1437>) \n[CVE-2020-1436](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1436>) \n[CVE-2020-1431](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1431>) \n[CVE-2020-1430](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1430>) \n[CVE-2020-1372](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1372>) \n[CVE-2020-1373](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1373>) \n[CVE-2020-1370](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1370>) \n[CVE-2020-1371](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1371>) \n[CVE-2020-1374](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1374>) \n[CVE-2020-1375](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1375>) \n[CVE-2020-1249](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1249>) \n[CVE-2020-1428](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1428>) \n[CVE-2020-1429](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1429>) \n[CVE-2020-1426](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1426>) \n[CVE-2020-1427](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1427>) \n[CVE-2020-1424](<https://nvd.nist.gov/vuln/detail/CVE-2020-1424>) \n[CVE-2020-1422](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1422>) \n[CVE-2020-1423](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1423>) \n[CVE-2020-1420](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1420>) \n[CVE-2020-1421](<https://nvd.nist.gov/vuln/detail/CVE-2020-1421>) \n[ADV200008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200008>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-1393](<https://vulners.com/cve/CVE-2020-1393>)4.6Warning \n[CVE-2020-1333](<https://vulners.com/cve/CVE-2020-1333>)3.7Warning \n[CVE-2020-1384](<https://vulners.com/cve/CVE-2020-1384>)4.6Warning \n[CVE-2020-1346](<https://vulners.com/cve/CVE-2020-1346>)4.6Warning \n[CVE-2020-1389](<https://vulners.com/cve/CVE-2020-1389>)2.1Warning \n[CVE-2020-1032](<https://vulners.com/cve/CVE-2020-1032>)7.7Critical \n[CVE-2020-1036](<https://vulners.com/cve/CVE-2020-1036>)7.7Critical \n[CVE-2020-1360](<https://vulners.com/cve/CVE-2020-1360>)4.6Warning \n[CVE-2020-1267](<https://vulners.com/cve/CVE-2020-1267>)4.0Warning \n[CVE-2020-1365](<https://vulners.com/cve/CVE-2020-1365>)4.6Warning \n[CVE-2020-1354](<https://vulners.com/cve/CVE-2020-1354>)4.6Warning \n[CVE-2020-1419](<https://vulners.com/cve/CVE-2020-1419>)2.1Warning \n[CVE-2020-1438](<https://vulners.com/cve/CVE-2020-1438>)4.6Warning \n[CVE-2020-1435](<https://vulners.com/cve/CVE-2020-1435>)9.3Critical \n[CVE-2020-1412](<https://vulners.com/cve/CVE-2020-1412>)9.3Critical \n[CVE-2020-1437](<https://vulners.com/cve/CVE-2020-1437>)4.6Warning \n[CVE-2020-1436](<https://vulners.com/cve/CVE-2020-1436>)6.8High \n[CVE-2020-1430](<https://vulners.com/cve/CVE-2020-1430>)4.6Warning \n[CVE-2020-1428](<https://vulners.com/cve/CVE-2020-1428>)4.6Warning \n[CVE-2020-1396](<https://vulners.com/cve/CVE-2020-1396>)4.6Warning \n[CVE-2020-1397](<https://vulners.com/cve/CVE-2020-1397>)4.3Warning \n[CVE-2020-1390](<https://vulners.com/cve/CVE-2020-1390>)4.6Warning \n[CVE-2020-1359](<https://vulners.com/cve/CVE-2020-1359>)4.6Warning \n[CVE-2020-1371](<https://vulners.com/cve/CVE-2020-1371>)4.6Warning \n[CVE-2020-1351](<https://vulners.com/cve/CVE-2020-1351>)2.1Warning \n[CVE-2020-1040](<https://vulners.com/cve/CVE-2020-1040>)7.7Critical \n[CVE-2020-1041](<https://vulners.com/cve/CVE-2020-1041>)7.7Critical \n[CVE-2020-1042](<https://vulners.com/cve/CVE-2020-1042>)7.7Critical \n[CVE-2020-1043](<https://vulners.com/cve/CVE-2020-1043>)7.7Critical \n[CVE-2020-1373](<https://vulners.com/cve/CVE-2020-1373>)4.6Warning \n[CVE-2020-1410](<https://vulners.com/cve/CVE-2020-1410>)9.3Critical \n[CVE-2020-1374](<https://vulners.com/cve/CVE-2020-1374>)5.1High \n[CVE-2020-1085](<https://vulners.com/cve/CVE-2020-1085>)4.6Warning \n[CVE-2020-1407](<https://vulners.com/cve/CVE-2020-1407>)9.3Critical \n[CVE-2020-1400](<https://vulners.com/cve/CVE-2020-1400>)9.3Critical \n[CVE-2020-1401](<https://vulners.com/cve/CVE-2020-1401>)9.3Critical \n[CVE-2020-1402](<https://vulners.com/cve/CVE-2020-1402>)7.2High \n[CVE-2020-1427](<https://vulners.com/cve/CVE-2020-1427>)4.6Warning \n[CVE-2020-1468](<https://vulners.com/cve/CVE-2020-1468>)4.3Warning \n[CVE-2020-1408](<https://vulners.com/cve/CVE-2020-1408>)9.3Critical \n[CVE-2020-1409](<https://vulners.com/cve/CVE-2020-1409>)9.3Critical \n[CVE-2020-1421](<https://vulners.com/cve/CVE-2020-1421>)9.3Critical \n[CVE-2020-1347](<https://vulners.com/cve/CVE-2020-1347>)4.6Warning \n[CVE-2020-1344](<https://vulners.com/cve/CVE-2020-1344>)4.6Warning \n[CVE-2020-1418](<https://vulners.com/cve/CVE-2020-1418>)7.2High \n[CVE-2020-1413](<https://vulners.com/cve/CVE-2020-1413>)4.6Warning \n[CVE-2020-1411](<https://vulners.com/cve/CVE-2020-1411>)7.2High \n[CVE-2020-1415](<https://vulners.com/cve/CVE-2020-1415>)4.6Warning \n[CVE-2020-1414](<https://vulners.com/cve/CVE-2020-1414>)4.6Warning \n[CVE-2020-1358](<https://vulners.com/cve/CVE-2020-1358>)2.1Warning \n[CVE-2020-1352](<https://vulners.com/cve/CVE-2020-1352>)4.6Warning \n[CVE-2020-1353](<https://vulners.com/cve/CVE-2020-1353>)4.6Warning \n[CVE-2020-1355](<https://vulners.com/cve/CVE-2020-1355>)4.6Warning \n[CVE-2020-1356](<https://vulners.com/cve/CVE-2020-1356>)4.6Warning \n[CVE-2020-1357](<https://vulners.com/cve/CVE-2020-1357>)4.6Warning \n[CVE-2020-1404](<https://vulners.com/cve/CVE-2020-1404>)4.6Warning \n[CVE-2020-1405](<https://vulners.com/cve/CVE-2020-1405>)3.6Warning \n[CVE-2020-1406](<https://vulners.com/cve/CVE-2020-1406>)7.2High \n[CVE-2020-1336](<https://vulners.com/cve/CVE-2020-1336>)4.6Warning \n[CVE-2020-1330](<https://vulners.com/cve/CVE-2020-1330>)2.1Warning \n[CVE-2020-1463](<https://vulners.com/cve/CVE-2020-1463>)4.6Warning \n[CVE-2020-1382](<https://vulners.com/cve/CVE-2020-1382>)4.6Warning \n[CVE-2020-1381](<https://vulners.com/cve/CVE-2020-1381>)4.6Warning \n[CVE-2020-1387](<https://vulners.com/cve/CVE-2020-1387>)4.6Warning \n[CVE-2020-1386](<https://vulners.com/cve/CVE-2020-1386>)2.1Warning \n[CVE-2020-1385](<https://vulners.com/cve/CVE-2020-1385>)4.6Warning \n[CVE-2020-1388](<https://vulners.com/cve/CVE-2020-1388>)4.6Warning \n[CVE-2020-1398](<https://vulners.com/cve/CVE-2020-1398>)4.6Warning \n[CVE-2020-1399](<https://vulners.com/cve/CVE-2020-1399>)4.6Warning \n[CVE-2020-1394](<https://vulners.com/cve/CVE-2020-1394>)4.6Warning \n[CVE-2020-1395](<https://vulners.com/cve/CVE-2020-1395>)4.6Warning \n[CVE-2020-1391](<https://vulners.com/cve/CVE-2020-1391>)2.1Warning \n[CVE-2020-1392](<https://vulners.com/cve/CVE-2020-1392>)4.6Warning \n[CVE-2020-1361](<https://vulners.com/cve/CVE-2020-1361>)2.1Warning \n[CVE-2020-1363](<https://vulners.com/cve/CVE-2020-1363>)4.6Warning \n[CVE-2020-1362](<https://vulners.com/cve/CVE-2020-1362>)4.6Warning \n[CVE-2020-1364](<https://vulners.com/cve/CVE-2020-1364>)3.6Warning \n[CVE-2020-1367](<https://vulners.com/cve/CVE-2020-1367>)2.1Warning \n[CVE-2020-1366](<https://vulners.com/cve/CVE-2020-1366>)4.6Warning \n[CVE-2020-1369](<https://vulners.com/cve/CVE-2020-1369>)4.6Warning \n[CVE-2020-1368](<https://vulners.com/cve/CVE-2020-1368>)4.6Warning \n[CVE-2020-1434](<https://vulners.com/cve/CVE-2020-1434>)4.6Warning \n[CVE-2020-1431](<https://vulners.com/cve/CVE-2020-1431>)4.6Warning \n[CVE-2020-1372](<https://vulners.com/cve/CVE-2020-1372>)4.6Warning \n[CVE-2020-1370](<https://vulners.com/cve/CVE-2020-1370>)4.6Warning \n[CVE-2020-1375](<https://vulners.com/cve/CVE-2020-1375>)4.6Warning \n[CVE-2020-1249](<https://vulners.com/cve/CVE-2020-1249>)4.6Warning \n[CVE-2020-1429](<https://vulners.com/cve/CVE-2020-1429>)7.2High \n[CVE-2020-1426](<https://vulners.com/cve/CVE-2020-1426>)2.1Warning \n[CVE-2020-1424](<https://vulners.com/cve/CVE-2020-1424>)7.2High \n[CVE-2020-1422](<https://vulners.com/cve/CVE-2020-1422>)4.6Warning \n[CVE-2020-1423](<https://vulners.com/cve/CVE-2020-1423>)4.6Warning \n[CVE-2020-1420](<https://vulners.com/cve/CVE-2020-1420>)2.1Warning\n\n### *KB list*:\n[4565541](<http://support.microsoft.com/kb/4565541>) \n[4558998](<http://support.microsoft.com/kb/4558998>) \n[4565489](<http://support.microsoft.com/kb/4565489>) \n[4565483](<http://support.microsoft.com/kb/4565483>) \n[4565508](<http://support.microsoft.com/kb/4565508>) \n[4565511](<http://support.microsoft.com/kb/4565511>) \n[4565513](<http://support.microsoft.com/kb/4565513>) \n[4565537](<http://support.microsoft.com/kb/4565537>) \n[4565503](<http://support.microsoft.com/kb/4565503>) \n[4565540](<http://support.microsoft.com/kb/4565540>) \n[4565554](<http://support.microsoft.com/kb/4565554>) \n[4565553](<http://support.microsoft.com/kb/4565553>) \n[4566425](<http://support.microsoft.com/kb/4566425>) \n[4558997](<http://support.microsoft.com/kb/4558997>) \n[4565911](<http://support.microsoft.com/kb/4565911>) \n[4565912](<http://support.microsoft.com/kb/4565912>) \n[4566785](<http://support.microsoft.com/kb/4566785>) \n[4566426](<http://support.microsoft.com/kb/4566426>) \n[4565535](<http://support.microsoft.com/kb/4565535>) \n[4565552](<http://support.microsoft.com/kb/4565552>) \n[4571692](<http://support.microsoft.com/kb/4571692>) \n[4571694](<http://support.microsoft.com/kb/4571694>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "kaspersky", "title": "KLA11865 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1032", "CVE-2020-1036", "CVE-2020-1040", "CVE-2020-1041", "CVE-2020-1042", "CVE-2020-1043", "CVE-2020-1085", "CVE-2020-1249", "CVE-2020-1267", "CVE-2020-1330", "CVE-2020-1333", "CVE-2020-1336", "CVE-2020-1344", "CVE-2020-1346", "CVE-2020-1347", "CVE-2020-1350", "CVE-2020-1351", "CVE-2020-1352", "CVE-2020-1353", "CVE-2020-1354", "CVE-2020-1355", "CVE-2020-1356", "CVE-2020-1357", "CVE-2020-1358", "CVE-2020-1359", "CVE-2020-1360", "CVE-2020-1361", "CVE-2020-1362", "CVE-2020-1363", "CVE-2020-1364", "CVE-2020-1365", "CVE-2020-1366", "CVE-2020-1367", "CVE-2020-1368", "CVE-2020-1369", "CVE-2020-1370", "CVE-2020-1371", "CVE-2020-1372", "CVE-2020-1373", "CVE-2020-1374", "CVE-2020-1375", "CVE-2020-1381", "CVE-2020-1382", "CVE-2020-1384", "CVE-2020-1385", "CVE-2020-1386", "CVE-2020-1387", "CVE-2020-1388", "CVE-2020-1389", "CVE-2020-1390", "CVE-2020-1391", "CVE-2020-1392", "CVE-2020-1393", "CVE-2020-1394", "CVE-2020-1395", "CVE-2020-1396", "CVE-2020-1397", "CVE-2020-1398", "CVE-2020-1399", "CVE-2020-1400", "CVE-2020-1401", "CVE-2020-1402", "CVE-2020-1404", "CVE-2020-1405", "CVE-2020-1406", "CVE-2020-1407", "CVE-2020-1408", "CVE-2020-1409", "CVE-2020-1410", "CVE-2020-1411", "CVE-2020-1412", "CVE-2020-1413", "CVE-2020-1414", "CVE-2020-1415", "CVE-2020-1418", "CVE-2020-1419", "CVE-2020-1420", "CVE-2020-1421", "CVE-2020-1422", "CVE-2020-1423", "CVE-2020-1424", "CVE-2020-1426", "CVE-2020-1427", "CVE-2020-1428", "CVE-2020-1429", "CVE-2020-1430", "CVE-2020-1431", "CVE-2020-1434", "CVE-2020-1435", "CVE-2020-1436", "CVE-2020-1437", "CVE-2020-1438", "CVE-2020-1463", "CVE-2020-1468"], "modified": "2020-09-10T00:00:00", "id": "KLA11865", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11865/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}