MS14-025: Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)

2014-05-14T00:00:00

Description

The remote Windows host is potentially affected by a vulnerability in the way that Active Directory distributes passwords that are configured using Group Policy preferences. This could allow a remote attacker to retrieve and decrypt passwords stored with Group Policy preferences. The following group policy preferences extensions are affected : - Local user and group - Mapped drives - Services - Scheduled tasks (Uplevel) - Scheduled tasks (Downlevel) - Immediate tasks (Uplevel) - Immediate tasks (Downlevel) - Data sources Note that this update does not remove any existing Group Policy Objects (GPOs). GPOs using the mentioned group policy preferences will need to be updated to not distribute passwords.

{"symantec": [{"lastseen": "2021-06-08T18:47:41", "description": "### Description\n\nMicrosoft Active Directory is prone to a privilege-escalation vulnerability. An authenticated attacker can exploit this issue to gain access to services with escalated privileges.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 \n * Avaya Aura Conferencing 6.0 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya Aura Conferencing 7.0 \n * Avaya Aura Conferencing 7.0 Standard \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Client Registration Server 6.2 \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.2 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.2 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Meeting Exchange - Webportal 6.2 \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected device at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploitation.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include explained incoming and outgoing traffic. This may indicate exploit attempts to activity that results from successful exploits.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2014-05-13T00:00:00", "type": "symantec", "title": "Microsoft Active Directory CVE-2014-1812 Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-1812"], "modified": "2014-05-13T00:00:00", "id": "SMNTC-67275", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/67275", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-27T10:48:18", "description": "This host is missing an important security update according to Microsoft\nBulletin MS14-025.", "cvss3": {}, "published": "2014-05-14T00:00:00", "type": "openvas", "title": "Microsoft Group Policy Preferences Privilege Elevation Vulnerability (2962486)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-1812"], "modified": "2017-07-12T00:00:00", "id": "OPENVAS:802073", "href": "http://plugins.openvas.org/nasl.php?oid=802073", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms14-025.nasl 6692 2017-07-12 09:57:43Z teissa $\n#\n# Microsoft Group Policy Preferences Privilege Elevation Vulnerability (2962486)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(802073);\n script_version(\"$Revision: 6692 $\");\n script_cve_id(\"CVE-2014-1812\");\n script_bugtraq_id(67275);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:57:43 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-14 12:36:12 +0530 (Wed, 14 May 2014)\");\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n script_name(\"Microsoft Group Policy Preferences Privilege Elevation Vulnerability (2962486)\");\n\n tag_summary =\n\"This host is missing an important security update according to Microsoft\nBulletin MS14-025.\";\n\n tag_vuldetect =\n\"Get the vulnerable file version and check appropriate patch is applied\nor not.\";\n\n tag_insight =\n\"Flaw is due the way Active Directory distributes passwords that are configured\nusing Group Policy preferences.\";\n\n tag_impact =\n\"Successful exploitation will allow attacker could decrypt the passwords and\nuse them to elevate privileges on the domain.\n\nImpact Level: Application\";\n\n tag_affected =\n\"Microsoft Windows 8 x32/x64\nMicrosoft Windows 8.1 x32/x64\nMicrosoft Windows Server 2012\nMicrosoft Windows Server 2012 R2\nMicrosoft Windows 7 x32/x64 Service Pack 1 and prior\nMicrosoft Windows Vista x32/x64 Service Pack 2 and prior\nMicrosoft Windows Server 2008 R2 x64 Service Pack 1 and prior\nMicrosoft Windows Server 2008 x32/x64 Service Pack 2 and prior \";\n\n tag_solution =\n\"Run Windows Update and update the listed hotfixes or download and\nupdate mentioned hotfixes in the advisory from the below link,\nhttps://technet.microsoft.com/library/security/ms14-025\";\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/58256\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2928120\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2961899\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/library/security/ms14-025\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Windows : Microsoft Bulletins\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nsysVer = \"\";\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(winVista:3, winVistax64:3, win7:2, win7x64:2, win2008:3,\n win2008x64:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win8_1:1, win8_1x64:1) <= 0)\n{\n exit(0);\n}\n\n## Client systems are only affected if Remote Server Administration Tools\n## has been installed.\n\n## Server systems are only affected if Group Policy Management is configured.\n## on the server.\ngpmc_key1 = \"SOFTWARE\\Microsoft\\Group Policy Management Console\";\nif(!registry_key_exists(key:gpmc_key1)){\n exit(0);\n}\n\ngpmc_key2 = \"SOFTWARE\\Classes\\AppID\\gppref.dll\";\nif(!registry_key_exists(key:gpmc_key2)){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\n## Get Version from Gppref.dll file\nsysVer = fetch_file_version(sysPath, file_name:\"\\system32\\Gppref.dll\");\nif(!sysVer){\n exit(0);\n}\n\n## Windows Vista and Windows Server 2008\n## Currently not supporting for Vista 64 bit\nif(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for Gppref.dll version\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.19047\") ||\n version_in_range(version:sysVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23338\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7 and Windows 2008 R2\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n ## Check for Gppref.dll version\n if(version_is_less(version:sysVer, test_version:\"6.1.7601.18399\") ||\n version_in_range(version:sysVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.22604\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 8 and 2012\nelse if(hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0)\n{\n ## Check for Gppref.dll version\n if(version_is_less(version:sysVer, test_version:\"6.2.9200.16859\") ||\n version_in_range(version:sysVer, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.20977\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 8.1\n## Currently not supporting for Windows Server 2012 R2\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1) > 0)\n{\n ## Check for Gppref.dll version\n if(version_in_range(version:sysVer, test_version:\"6.3.9600.16000\", test_version2:\"6.3.9600.16659\") ||\n version_in_range(version:sysVer, test_version:\"6.3.9600.17000\", test_version2:\"6.3.9600.17040\")){\n security_message(0);\n }\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2020-01-08T14:01:50", "description": "This host is missing an important security update according to Microsoft\n Bulletin MS14-025.", "cvss3": {}, "published": "2014-05-14T00:00:00", "type": "openvas", "title": "Microsoft Group Policy Preferences Privilege Elevation Vulnerability (2962486)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-1812"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310802073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802073", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Group Policy Preferences Privilege Elevation Vulnerability (2962486)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802073\");\n script_version(\"2019-12-20T12:48:41+0000\");\n script_cve_id(\"CVE-2014-1812\");\n script_bugtraq_id(67275);\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:48:41 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-05-14 12:36:12 +0530 (Wed, 14 May 2014)\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Microsoft Group Policy Preferences Privilege Elevation Vulnerability (2962486)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to Microsoft\n Bulletin MS14-025.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due the way Active Directory distributes passwords that are configured\n using Group Policy preferences.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker could decrypt the passwords and\n use them to elevate privileges on the domain.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8 x32/x64\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows Server 2012 R2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2928120\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2961899\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms14-025\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Windows : Microsoft Bulletins\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win7:2, win7x64:2, win2008:3,\n win2008x64:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win8_1:1, win8_1x64:1) <= 0)\n{\n exit(0);\n}\n\n## Client systems are only affected if Remote Server Administration Tools\n## has been installed.\n\n## Server systems are only affected if Group Policy Management is configured.\n## on the server.\ngpmc_key1 = \"SOFTWARE\\Microsoft\\Group Policy Management Console\";\nif(!registry_key_exists(key:gpmc_key1)){\n exit(0);\n}\n\ngpmc_key2 = \"SOFTWARE\\Classes\\AppID\\gppref.dll\";\nif(!registry_key_exists(key:gpmc_key2)){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"\\system32\\Gppref.dll\");\nif(!sysVer){\n exit(0);\n}\n\n## Currently not supporting for Vista 64 bit\nif(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.19047\") ||\n version_in_range(version:sysVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23338\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.7601.18399\") ||\n version_in_range(version:sysVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.22604\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.2.9200.16859\") ||\n version_in_range(version:sysVer, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.20977\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Currently not supporting for Windows Server 2012 R2\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1) > 0)\n{\n if(version_in_range(version:sysVer, test_version:\"6.3.9600.16000\", test_version2:\"6.3.9600.16659\") ||\n version_in_range(version:sysVer, test_version:\"6.3.9600.17000\", test_version2:\"6.3.9600.17040\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2021-07-28T14:33:38", "edition": 4, "description": "**Name**| ms14_025 \n---|--- \n**CVE**| CVE-2014-1812 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ms14_025 \n**Notes**| CVE Name: CVE-2014-1812 \nVENDOR: Microsoft \nCommandline: runmodule ms14-025 \nReferences: https://technet.microsoft.com/library/security/ms14-025 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1812 \nDate public: 05/13/2014 \nNOTES: \nMust be run through a PowerShell Node. Uses PowerSploit Function: Get-GPPPassword \ncreated by Chris Campbell and used under BSD 3-Clause License\" \n \nClient systems are only affected if Remote Server Administration Tools has \nbeen installed: \n\\- Windows Vista SP2 \n\\- Windows Vista SP2 x64 \n\\- Windows 7 SP1 \n\\- Windows 7 SP1 x64 \n\\- Windows 8 \n\\- Windows 8 x64 \n\\- Windows 8.1 \n\\- Windows 8.1 x64 \n \nServer systems are only affected if Group Policy Management is configured on \nthe server: \n\\- Windows Server 2008 SP2 \n\\- Windows Server 2008 SP2 x64 \n\\- Windows Server 2008 R2 \n\\- Windows Server 2012 \n\\- Windows Server 2012 R2 \n\\- Windows Server 2008 \n \n\n", "cvss3": {}, "published": "2014-05-14T11:13:00", "type": "canvas", "title": "Immunity Canvas: MS14_025", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1812"], "modified": "2014-05-14T11:13:00", "id": "MS14_025", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms14_025", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-04-21T02:51:28", "description": "The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka \u201cGroup Policy Preferences Password Elevation of Privilege Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2014-05-14T00:00:00", "type": "attackerkb", "title": "CVE-2014-1812", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1812"], "modified": "2020-09-02T00:00:00", "id": "AKB:9F7ADF1B-8A24-489C-866E-B7A9887DA91A", "href": "https://attackerkb.com/topics/yi7nNjZNSe/cve-2014-1812", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:49:13", "description": "<html><body>Resolves a vulnerability in Windows that could allow elevation of privilege if Active Directory Group Policy Preferences extensions are used to distribute passwords across the domain. This practice could allow an attacker to retrieve and decrypt the password that is stored together with Group Policy preferences.<h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS14-025. To learn more about this security bulletin: <ul class=\"sbody-free_list\"><li>Home users: <div class=\"indent\"><a href=\"https://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-1\" target=\"_self\">https://www.microsoft.com/security/pc-security/updates.aspx</a></div>Skip the details: Download the updates for your home computer or laptop from the Microsoft Update website now: <div class=\"indent\"><a href=\"https://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">https://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals: <div class=\"indent\"><a href=\"https://technet.microsoft.com/security/bulletin/ms14-025\" id=\"kb-link-3\" target=\"_self\">https://technet.microsoft.com/security/bulletin/MS14-025</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update </h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a> Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a> Help protect your Windows-based computer Windows from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a> Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a> </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and more information about this security update </h3>The following articles contain more information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link. <ul class=\"sbody-free_list\"><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2928120\" id=\"kb-link-8\">2928120 </a> MS14-025: Description of the security update for Windows Remote Server Administration Tools for systems that have update 2919355 installed: May 13, 2014 </div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2961899\" id=\"kb-link-9\">2961899 </a> MS14-025: Description of the security update for Windows Remote Server Administration Tools for systems that do not have update 2919355 installed: May 13, 2014 </div></li></ul></div><h2>Group Policy Preferences</h2><div class=\"kb-summary-section section\"><h3 class=\"sbody-h3\">Overview </h3>Some Group Policy Preferences can store a password. This functionality is being removed because the password was stored insecurely. This article describes the user interface changes and any available workarounds. The following Group Policy Preferences will no longer allow user names and passwords to be saved: <ul class=\"sbody-free_list\"><li>Drive Maps </li><li>Local Users and Groups </li><li>Scheduled Tasks </li><li>Services </li><li>Data Sources </li></ul>This will affect the behavior of any existing Group Policy Objects (GPOs) in your environment that rely on passwords that are contained in these preferences. It will also prevent creating new Group Policy Preferences by using this functionality. For Drive Maps, Local Users and Groups, and Services, you may be able to achieve similar goals through other, more secure functionality in Windows. For Scheduled Tasks and Data Sources, you will be unable to achieve the same goals that were available through the nonsecure functionality of Group Policy Preferences passwords. </div><h2>Scenarios</h2><div class=\"kb-summary-section section\">The following Group Policy Preferences are affected by this change. Each preference is covered briefly and then in more detail. Additionally, workarounds are provided that enable you to perform the same tasks. <div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">Affected preference </td><td class=\"sbody-td\">Applies to user </td><td class=\"sbody-td\">Applies to computer </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Local user management</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mapped drives</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\"><div class=\"sbody-error\">No</div></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Services</td><td class=\"sbody-td\"><div class=\"sbody-error\">No</div></td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Scheduled tasks (up-level)</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Scheduled tasks (down-level)</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Immediate tasks (up-level)</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Immediate tasks (down-level)</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Data sources</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr></table></div><h3 class=\"sbody-h3\">Summary of changes </h3><ul class=\"sbody-free_list\"><li>Password fields in all affected preferences are disabled. Administrators cannot create new preferences by using these password fields.</li><li>The username field is disabled in some preferences. </li><li>Existing preferences that contain a password cannot be updated. They can only be deleted or disabled, as appropriate for the specific preference.</li><li>The behavior for Delete and Disable actions have not changed for the preferences.</li><li>When an administrator opens any preference that contains the CPassword attribute, the administrator receives the following warning dialog box to inform him or her of the recent deprecation. Attempts to save changes to new or existing preferences that require the CPassword attribute will trigger the same dialog box. Only Delete and Disable actions will not trigger warning dialog boxes.</li></ul> <img alt=\"CPassword Security Warning \" class=\"graphic\" src=\"/Library/Images/2967511.png\" title=\"CPassword Security Warning \"/> <h3 class=\"sbody-h3\">Scenario 1: Local user management </h3>The Local User Management preference is frequently used to create local administrators who have a known password on a computer. This feature is not secure because of\u00a0the way that Group Policy Preferences stores passwords. Therefore, this functionality is no longer available. The following preferences are affected:\u00a0<ul class=\"sbody-free_list\"><li>Computer Configuration -> Control Panel Settings -> Local Users and Groups-> New-> Local User</li><li>User Configuration -> Control Panel Settings -> Local Users and Groups-> New-> Local User</li></ul><h4 class=\"sbody-h4\">Important changes </h4>Action:\u00a0Create or Replace <ul class=\"sbody-free_list\"><li>The User name, Password, and Confirm Password fields are disabled.</li><li>The warning dialog box appears when the administrator opens or tries to save any changes to an existing preference that contains a password.</li></ul> <img alt=\"Local User - Create or Replace \" class=\"graphic\" src=\"/Library/Images/2967512.png\" title=\"Local User - Create or Replace \"/> Action:\u00a0Update <ul class=\"sbody-free_list\"><li>The Password and Confirm Password fields are disabled.</li><li>The warning dialog box\u00a0appears when the administrator opens or tries to save any changes to an existing preference that contains a password.</li></ul> <img alt=\"Local User - Update \" class=\"graphic\" src=\"/Library/Images/2967513.png\" title=\"Local User - Update \"/> Action:\u00a0Delete <ul class=\"sbody-free_list\"><li>No change in behavior</li></ul><h4 class=\"sbody-h4\">Workarounds </h4>For those who previously relied on the Group Policy Preference for setting local administrator passwords, the following script is provided as a secure alternative to CPassword. Copy and save the contents to a new Windows PowerShell file, and then run the script as indicated in its .EXAMPLE section. Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. <pre class=\"sbody-pre\"> function Invoke-PasswordRoll { <# .SYNOPSIS This script can be used to set the local account passwords on remote machines to random passwords. The username/password/server combination will be saved in a CSV file. The account passwords stored in the CSV file can be encrypted using a password of the administrators choosing to ensure clear-text account passwords aren't written to disk. The encrypted passwords can be decrypted using another function in this file: ConvertTo-CleartextPassword Function: Invoke-PasswordRoll Author: Microsoft Version: 1.0 .DESCRIPTION This script can be used to set the local account passwords on remote machines to random passwords. The username/password/server combination will be saved in a CSV file. The account passwords stored in the CSV file can be encrypted using a password of the administrators choosing to ensure clear-text account passwords aren't written to disk. The encrypted passwords can be decrypted using another function in this file: ConvertTo-CleartextPassword .PARAMETER ComputerName An array of computers to run the script against using PowerShell remoting. .PARAMETER LocalAccounts An array of local accounts whose password should be changed. .PARAMETER TsvFileName The file to output the username/password/server combinations to. .PARAMETER EncryptionKey A password to encrypt the TSV file with. Uses AES encryption. Only the passwords stored in the TSV file will be encrypted, the username and servername will be clear-text. .PARAMETER PasswordLength The length of the passwords which will be randomly generated for local accounts. .PARAMETER NoEncryption Do not encrypt the account passwords stored in the TSV file. This will result in clear-text passwords being written to disk. .EXAMPLE . .\\Invoke-PasswordRoll.ps1 #Loads the functions in this script file Invoke-PasswordRoll -ComputerName (Get-Content computerlist.txt) -LocalAccounts @(\"administrator\",\"CustomLocalAdmin\") -TsvFileName \"LocalAdminCredentials.tsv\" -EncryptionKey \"Password1\" Connects to all the computers stored in the file \"computerlist.txt\". If the local account \"administrator\" and/or \"CustomLocalAdmin\" are present on the system, their password is changed to a randomly generated password of length 20 (the default). The username/password/server combinations are stored in LocalAdminCredentials.tsv, and the account passwords are AES encrypted using the password \"Password1\". .EXAMPLE . .\\Invoke-PasswordRoll.ps1 #Loads the functions in this script file Invoke-PasswordRoll -ComputerName (Get-Content computerlist.txt) -LocalAccounts @(\"administrator\") -TsvFileName \"LocalAdminCredentials.tsv\" -NoEncryption -PasswordLength 40 Connects to all the computers stored in the file \"computerlist.txt\". If the local account \"administrator\" is present on the system, its password is changed to a random generated password of length 40. The username/password/server combinations are stored in LocalAdminCredentials.tsv unencrypted. .NOTES Requirements: -PowerShellv2 or above must be installed -PowerShell remoting must be enabled on all systems the script will be run against Script behavior: -If a local account is present on the system, but not specified in the LocalAccounts parameter, the script will write a warning to the screen to alert you to the presence of this local account. The script will continue running when this happens. -If a local account is specified in the LocalAccounts parameter, but the account does not exist on the computer, nothing will happen (an account will NOT be created). -The function ConvertTo-CleartextPassword, contained in this file, can be used to decrypt passwords that are stored encrypted in the TSV file. -If a server specified in ComputerName cannot be connected to, PowerShell will output an error message. -Microsoft advises companies to regularly roll all local and domain account passwords. #> [CmdletBinding(DefaultParameterSetName=\"Encryption\")] Param( [Parameter(Mandatory=$true)] [String[]] $ComputerName, [Parameter(Mandatory=$true)] [String[]] $LocalAccounts, [Parameter(Mandatory=$true)] [String] $TsvFileName, [Parameter(ParameterSetName=\"Encryption\", Mandatory=$true)] [String] $EncryptionKey, [Parameter()] [ValidateRange(20,120)] [Int] $PasswordLength = 20, [Parameter(ParameterSetName=\"NoEncryption\", Mandatory=$true)] [Switch] $NoEncryption ) #Load any needed .net classes Add-Type -AssemblyName \"System.Web\" -ErrorAction Stop #This is the scriptblock that will be executed on every computer specified in ComputerName $RemoteRollScript = { Param( [Parameter(Mandatory=$true, Position=1)] [String[]] $Passwords, [Parameter(Mandatory=$true, Position=2)] [String[]] $LocalAccounts, #This is here so I can record what the server name that the script connected to was, sometimes the DNS records get messed up, it can be nice to have this. [Parameter(Mandatory=$true, Position=3)] [String] $TargettedServerName ) $LocalUsers = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=true\" | Foreach {$_.Name} #Check if the computer has any local user accounts whose passwords are not going to be rolled by this script foreach ($User in $LocalUsers) { if ($LocalAccounts -inotcontains $User) { Write-Warning \"Server: '$($TargettedServerName)' has a local account '$($User)' whos password is NOT being changed by this script\" } } #For every local account specified that exists on this server, change the password $PasswordIndex = 0 foreach ($LocalAdmin in $LocalAccounts) { $Password = $Passwords[$PasswordIndex] if ($LocalUsers -icontains $LocalAdmin) { try { $objUser = [ADSI]\"WinNT://localhost/$($LocalAdmin), user\" $objUser.psbase.Invoke(\"SetPassword\", $Password) $Properties = @{ TargettedServerName = $TargettedServerName Username = $LocalAdmin Password = $Password RealServerName = $env:computername } $ReturnData = New-Object PSObject -Property $Properties Write-Output $ReturnData } catch { Write-Error \"Error changing password for user:$($LocalAdmin) on server:$($TargettedServerName)\" } } $PasswordIndex++ } } #Generate the password on the client running this script, not on the remote machine. System.Web.Security isn't available in the .NET Client profile. Making this call # on the client running the script ensures only 1 computer needs the full .NET runtime installed (as opposed to every system having the password rolled). function Create-RandomPassword { Param( [Parameter(Mandatory=$true)] [ValidateRange(20,120)] [Int] $PasswordLength ) $Password = [System.Web.Security.Membership]::GeneratePassword($PasswordLength, $PasswordLength / 4) #This should never fail, but I'm putting a sanity check here anyways if ($Password.Length -ne $PasswordLength) { throw new Exception(\"Password returned by GeneratePassword is not the same length as required. Required length: $($PasswordLength). Generated length: $($Password.Length)\") } return $Password } #Main functionality - Generate a password and remote in to machines to change the password of local accounts specified if ($PsCmdlet.ParameterSetName -ieq \"Encryption\") { try { $Sha256 = new-object System.Security.Cryptography.SHA256CryptoServiceProvider $SecureStringKey = $Sha256.ComputeHash([System.Text.UnicodeEncoding]::Unicode.GetBytes($EncryptionKey)) } catch { Write-Error \"Error creating TSV encryption key\" -ErrorAction Stop } } foreach ($Computer in $ComputerName) { #Need to generate 1 password for each account that could be changed $Passwords = @() for ($i = 0; $i -lt $LocalAccounts.Length; $i++) { $Passwords += Create-RandomPassword -PasswordLength $PasswordLength } Write-Output \"Connecting to server '$($Computer)' to roll specified local admin passwords\" $Result = Invoke-Command -ScriptBlock $RemoteRollScript -ArgumentList @($Passwords, $LocalAccounts, $Computer) -ComputerName $Computer #If encryption is being used, encrypt the password with the user supplied key prior to writing to disk if ($Result -ne $null) { if ($PsCmdlet.ParameterSetName -ieq \"NoEncryption\") { $Result | Select-Object Username,Password,TargettedServerName,RealServerName | Export-Csv -Append -Path $TsvFileName -NoTypeInformation } else { #Filters out $null entries returned $Result = $Result | Select-Object Username,Password,TargettedServerName,RealServerName foreach ($Record in $Result) { $PasswordSecureString = ConvertTo-SecureString -AsPlainText -Force -String ($Record.Password) $Record | Add-Member -MemberType NoteProperty -Name EncryptedPassword -Value (ConvertFrom-SecureString -Key $SecureStringKey -SecureString $PasswordSecureString) $Record.PSObject.Properties.Remove(\"Password\") $Record | Select-Object Username,EncryptedPassword,TargettedServerName,RealServerName | Export-Csv -Append -Path $TsvFileName -NoTypeInformation } } } } } function ConvertTo-CleartextPassword { <# .SYNOPSIS This function can be used to decrypt passwords that were stored encrypted by the function Invoke-PasswordRoll. Function: ConvertTo-CleartextPassword Author: Microsoft Version: 1.0 .DESCRIPTION This function can be used to decrypt passwords that were stored encrypted by the function Invoke-PasswordRoll. .PARAMETER EncryptedPassword The encrypted password that was stored in a TSV file. .PARAMETER EncryptionKey The password used to do the encryption. .EXAMPLE . .\\Invoke-PasswordRoll.ps1 #Loads the functions in this script file ConvertTo-CleartextPassword -EncryptionKey \"Password1\" -EncryptedPassword 76492d1116743f0423413b16050a5345MgB8AGcAZgBaAHUAaQBwADAAQgB2AGgAcABNADMASwBaAFoAQQBzADEAeABjAEEAPQA9AHwAZgBiAGYAMAA1ADYANgA2ADEANwBkADQAZgAwADMANABjAGUAZQAxAGIAMABiADkANgBiADkAMAA4ADcANwBhADMAYQA3AGYAOABkADcAMQA5ADQAMwBmAGYANQBhADEAYQBjADcANABkADIANgBhADUANwBlADgAMAAyADQANgA1ADIAOQA0AGMAZQA0ADEAMwAzADcANQAyADUANAAzADYAMAA1AGEANgAzADEAMQA5ADAAYwBmADQAZAA2AGQA\" Decrypts the encrypted password which was stored in the TSV file. #> Param( [Parameter(Mandatory=$true)] [String] $EncryptedPassword, [Parameter(Mandatory=$true)] [String] $EncryptionKey ) $Sha256 = new-object System.Security.Cryptography.SHA256CryptoServiceProvider $SecureStringKey = $Sha256.ComputeHash([System.Text.UnicodeEncoding]::Unicode.GetBytes($EncryptionKey)) [SecureString]$SecureStringPassword = ConvertTo-SecureString -String $EncryptedPassword -Key $SecureStringKey Write-Output ([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($SecureStringPassword))) } </pre>\u00a0 Administrators can add local administrator accounts to computers by creating an Active Directory group and adding it to the local Administrators group through Group Policy Preferences -> Local Group. This action does not cache credentials. The dialog box resembles the following. This workaround does require a connection to Active Directory Domain Services when the user is logged on\u00a0by using these credentials. <img alt=\"Local Group - workaround \" class=\"graphic\" src=\"/Library/Images/2967514.png\" title=\"Local Group - workaround \"/> <h3 class=\"sbody-h3\">Scenario 2: Mapped drives </h3>Administrators use drive maps to allocate network locations to users. The password protection feature is used to make sure of authorized access to the drive. The following preferences are affected: <ul class=\"sbody-free_list\"><li>User Configuration -> Windows Settings -> Drive Maps -> New -> Mapped Drive</li></ul><h4 class=\"sbody-h4\">Important changes </h4>Action: Create, Update, or Replace <ul class=\"sbody-free_list\"><li>The User name, Password, and Confirm password fields are disabled.</li></ul> <img alt=\"Mapped Drive - Create/Update/Replace \" class=\"graphic\" src=\"/Library/Images/2967515.png\" title=\"Mapped Drive - Create/Update/Replace \"/> Action:\u00a0Delete <ul class=\"sbody-free_list\"><li>No change in behavior</li></ul><h4 class=\"sbody-h4\">Workarounds </h4>Instead of using the password method for authentication, you can use Windows Explorer to manage share permissions and allocate rights to users. You can use Active Directory objects to control permissions to the folder. <h3 class=\"sbody-h3\">Scenario 3: Services </h3>You can use the Services preference to change service properties in such a way that they run in a context other than their original security context. The following preferences are affected:\u00a0<ul class=\"sbody-free_list\"><li>Computer Configuration -> Control Panel Settings -> Services -> New -> Service\u00a0</li></ul><h4 class=\"sbody-h4\">Important changes </h4>Startup: No Change,\u00a0Automatic,\u00a0or Manual <ul class=\"sbody-free_list\"><li>The Password and Confirm password fields are disabled.</li><li>The administrator can use only built-in accounts.</li></ul> <img alt=\"Service - Unchanged/Automatic/Manual \" class=\"graphic\" src=\"/Library/Images/2967516.png\" title=\"Service - Unchanged/Automatic/Manual \"/> Startup: Disable <ul class=\"sbody-free_list\"><li>No change in behavior</li></ul>New dialog box<ul class=\"sbody-free_list\"><li>Administrators who try to use non-built-in users for This account\"\u00a0receive the following warning:</li></ul> <img alt=\"Warning against non-builtin users \" class=\"graphic\" src=\"/Library/Images/2967517.png\" title=\"Warning against non-builtin users \"/> <h4 class=\"sbody-h4\">Workarounds </h4>Services can still run as a local system account. Service permissions can be altered as documented in the following article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/256345\" id=\"kb-link-10\">256345 </a> How to Configure Group Policy settings to set security for system services </div> Note\u00a0If the service that you want to configure is not present, you must configure the settings on a computer that has the service running.\u00a0 <h3 class=\"sbody-h3\">Scenario 4: Scheduled and immediate tasks (up-level) </h3>These are used to run scheduled tasks in a specific security context. The ability to store credentials for scheduled tasks to run as an arbitrary user when that user is not logged on is no longer available. The following preferences are affected. (Be aware that on some platforms, \"At least Windows 7\" is replaced with \"Windows Vista and later.\") <ul class=\"sbody-free_list\"><li>\u00a0Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)</li><li>\u00a0Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)</li><li>\u00a0User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)</li><li>\u00a0User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)</li></ul><h4 class=\"sbody-h4\">Important changes </h4>Action:\u00a0Create,\u00a0Update, or Replace <ul class=\"sbody-free_list\"><li>When you select the Run whether user is logged on or not option, a dialog box no longer prompts the administrator for credentials.</li><li>The Do not store password check box is disabled. By default, the box is also checked.</li></ul> <img alt=\"New Scheduled or Immediate Task (Up-level) \" class=\"graphic\" src=\"/Library/Images/2967518.png\" title=\"New Scheduled or Immediate Task (Up-level) \"/> Action: Delete No change in behavior <h4 class=\"sbody-h4\">Workarounds </h4>For the \"Scheduled Task (at least Windows 7)\" and \"Immediate Task (at least Windows 7)\" tasks, administrators can use specific user accounts when the given user is logged on. Or, they can only have access to local resources as that user. These tasks\u00a0still\u00a0can run in the context of the local service.\u00a0<h3 class=\"sbody-h3\"> Scenario 5: Scheduled and immediate tasks (down-level) </h3>This is the down-level version of preferences used to run Scheduled Tasks in a specific security context. The ability to store credentials for scheduled tasks to run as an arbitrary user when that user is not logged on is no longer available. The following preferences are affected: <ul class=\"sbody-free_list\"><li>\u00a0Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task</li><li>\u00a0Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (Windows XP)</li><li>\u00a0User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task</li><li>\u00a0User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (Windows XP)</li></ul><h4 class=\"sbody-h4\">Important changes </h4>Action: Create,\u00a0Update, or Replace <ul class=\"sbody-free_list\"><li>The Run as check box is disabled. Therefore, the User Name, Password, and Confirm Password fields are all disabled.</li></ul> <img alt=\"New Task - Create/Update/Replace (down-level) \" class=\"graphic\" src=\"/Library/Images/2967519.png\" title=\"New Task - Create/Update/Replace (down-level) \"/> Action: Delete No change in behavior <h4 class=\"sbody-h4\">Workarounds </h4>For the \"Scheduled Task\" and \"Immediate Task (Windows XP)\" items, scheduled tasks run by using the permissions that are currently available to the local service.\u00a0 <h3 class=\"sbody-h3\">Scenario 6: Data Sources </h3>The Data Sources preference is used to associate a data source with a computer or user. This feature no longer stores credentials to enable access to data sources that are protected by a password. The following preferences are affected:\u00a0<ul class=\"sbody-free_list\"><li>Computer Configuration -> Control Panel Settings -> Data Sources</li><li>User Configuration -> Control Panel Settings -> Data Sources</li></ul><h4 class=\"sbody-h4\">Important Changes </h4>Action:\u00a0Create,\u00a0Update, or Replace <ul class=\"sbody-free_list\"><li>The User Name, Password, and Confirm Password fields are disabled:</li></ul> <img alt=\"Data Sources - Create/Update/Replace \" class=\"graphic\" src=\"/Library/Images/2967520.png\" title=\"Data Sources - Create/Update/Replace \"/> Action:\u00a0Delete <ul class=\"sbody-free_list\"><li>No change in behavior</li></ul><h4 class=\"sbody-h4\">Workarounds </h4>No workarounds are available. This preference no longer stores credentials to allow access to data sources that are protected by a password.\u00a0 </div><h2>Deprecation of CPassword</h2><div class=\"kb-summary-section section\"><h3 class=\"sbody-h3\">Removing CPassword </h3>The Windows PowerShell script that is included in this Microsoft Knowledge Base article detects whether a domain contains any Group Policy Preferences that might use CPassword. If CPassword XML is detected in a given preference, it is displayed in this list.\u00a0 <h4 class=\"sbody-h4\">Detecting CPassword preferences </h4>This script must be run from a local directory on the domain controller that you want to clean. Copy and save the contents to a new Windows PowerShell file, determine your system drive, and then run the script as indicated in the following usage. <pre class=\"sbody-pre\"> <# .SYNOPSIS Group Policy objects in your domain can have preferences that store passwords for different tasks, such as the following: 1. Data Sources 2. Drive Maps 3. Local Users 4. Scheduled Tasks (both XP and up-level) 5. Services These passwords are stored in SYSVOL as part of GP preferences and are not secure because of weak encryption (32-byte AES). Therefore, we recommend that you not deploy such preferences in your domain environment and remove any such existing preferences. This script is to help administrator find GP Preferences in their domain's SYSVOL that contains passwords. .DESCRIPTION This script should be run on a DC or a client computer that is installed with RSAT to print all the preferences that contain password with information such as GPO, Preference Name, GPEdit path under which this preference is defined. After you have a list of affected preferences, these preferences can be removed by using the editor in the Group Policy Management Console. .SYNTAX Get-SettingsWithCPassword.ps1 [-Path <String>] .EXAMPLE Get-SettingsWithCPassword.ps1 -Path %WinDir%\\SYSVOL\\domain Get-SettingsWithCPassword.ps1 -Path <GPO Backup Folder Path> .NOTES If Group Policy PS module is not found the output will contain GPO GUIDs instead of GPO names. You can either run this script on a domain controller or rerun the script on the client after you have installed RSAT and enabled the Group Policy module. Or, you can use GPO GUIDs to obtain GPO names by using the Get-GPO cmdlet. .LINK http://go.microsoft.com/fwlink/?LinkID=390507 #> #---------------------------------------------------------------------------------------------------------------- # Input parameters #-------------------------------------------------------------------------------------------------------------- param( [string]$Path = $(throw \"-Path is required.\") # Directory path where GPPs are located. ) #--------------------------------------------------------------------------------------------------------------- $isGPModuleAvailable = $false $impactedPrefs = { \"Groups.xml\", \"ScheduledTasks.xml\",\"Services.xml\", \"DataSources.xml\", \"Drives.xml\" } #---------------------------------------------------------------------------------------------------------------- # import Group olicy module if available #---------------------------------------------------------------------------------------------------------------- if (-not (Get-Module -name \"GroupPolicy\")) { if (Get-Module -ListAvailable | Where-Object { $_.Name -ieq \"GroupPolicy\" }) { $isGPModuleAvailable = $true Import-Module \"GroupPolicy\" } else { Write-Warning \"Unable to import Group Policy module for PowerShell. Therefore, GPO guids will be reported. Run this script on DC to obtain the GPO names, or use the Get-GPO cmdlet (on DC) to obtain the GPO name from GPO guid.\" } } else { $isGPModuleAvailable = $true } Function Enum-SettingsWithCpassword ( [string]$sysvolLocation ) { # GPMC tree paths $commonPath = \" -> Preferences -> Control Panel Settings -> \" $driveMapPath = \" -> Preferences -> Windows Settings -> \" # Recursively obtain all the xml files within the SYVOL location $impactedXmls = Get-ChildItem $sysvolLocation -Recurse -Filter \"*.xml\" | Where-Object { $impactedPrefs -cmatch $_.Name } # Each xml file contains multiple preferences. Iterate through each preference to check whether it # contains cpassword attribute and display it. foreach ( $file in $impactedXmls ) { $fileFullPath = $file.FullName # Set GPP category. If file is located under Machine folder in SYSVOL # the setting is defined under computer configuration otherwise the # setting is a to user configuration if ( $fileFullPath.Contains(\"Machine\") ) { $category = \"Computer Configuration\" } elseif ( $fileFullPath.Contains(\"User\") ) { $category = \"User Configuration\" } else { $category = \"Unknown\" } # Obtain file content as XML try { [xml]$xmlFile = get-content $fileFullPath -ErrorAction Continue } catch [Exception]{ Write-Host $_.Exception.Message } if ($xmlFile -eq $null) { continue } switch ( $file.BaseName ) { Groups { $gppWithCpassword = $xmlFile.SelectNodes(\"Groups/User\") | where-Object { [String]::IsNullOrEmpty($_.Properties.cpassword) -eq $false } $preferenceType = \"Local Users\" } ScheduledTasks { $gppWithCpassword = $xmlFile.SelectNodes(\"ScheduledTasks/*\") | where-Object { [String]::IsNullOrEmpty($_.Properties.cpassword) -eq $false } $preferenceType = \"Scheduled Tasks\" } DataSources { $gppWithCpassword = $xmlFile.SelectNodes(\"DataSources/DataSource\") | where-Object { [String]::IsNullOrEmpty($_.Properties.cpassword) -eq $false } $preferenceType = \"Data sources\" } Drives { $gppWithCpassword = $xmlFile.SelectNodes(\"Drives/Drive\") | where-Object { [String]::IsNullOrEmpty($_.Properties.cpassword) -eq $false } $preferenceType = \"Drive Maps\" } Services { $gppWithCpassword = $xmlFile.SelectNodes(\"NTServices/NTService\") | where-Object { [String]::IsNullOrEmpty($_.Properties.cpassword) -eq $false } $preferenceType = \"Services\" } default { # clear gppWithCpassword and preferenceType for next item. try { Clear-Variable -Name gppWithCpassword -ErrorAction SilentlyContinue Clear-Variable -Name preferenceType -ErrorAction SilentlyContinue } catch [Exception]{} } } if ($gppWithCpassword -ne $null) { # Build GPO name from GUID extracted from filePath $guidRegex = [regex]\"\\{(.*)\\}\" $match = $guidRegex.match($fileFullPath) if ($match.Success) { $gpoGuid = $match.groups[1].value $gpoName = $gpoGuid } else { $gpoName = \"Unknown\" } if($isGPModuleAvailable -eq $true) { try { $gpoInfo = Get-GPO -Guid $gpoGuid -ErrorAction Continue $gpoName = $gpoInfo.DisplayName } catch [Exception] { Write-Host $_.Exception.Message } } # display prefrences that contain cpassword foreach ( $gpp in $gppWithCpassword ) { if ( $preferenceType -eq \"Drive Maps\" ) { $prefLocation = $category + $driveMapPath + $preferenceType } else { $prefLocation = $category + $commonPath + $preferenceType } $obj = New-Object -typeName PSObject $obj | Add-Member \u2013membertype NoteProperty \u2013name GPOName \u2013value ($gpoName) \u2013passthru | Add-Member -MemberType NoteProperty -name Preference -value ($gpp.Name) -passthru | Add-Member -MemberType NoteProperty -name Path -value ($prefLocation) Write-Output $obj } } # end if $gppWithCpassword } # end foreach $file } # end functions Enum-PoliciesWithCpassword #----------------------------------------------------------------------------------- # Check whether Path is valid. Enumerate all settings that contain cpassword. #----------------------------------------------------------------------------------- if (Test-Path $Path ) { Enum-SettingsWithCpassword $Path } else { Write-Warning \"No such directory: $Path\" } </pre> Example usage (assumes that the system drive is C) <pre class=\"sbody-pre\">.\\Get-SettingsWithCPassword.ps1 \u2013path \u201cC:\\Windows\\SYSVOL\\domain\u201d | Format-List </pre> Note\u00a0Be aware that you can also target any backup GPO for the path instead of the domain. The detection script generates a list that resembles the following: <img alt=\"insert graphic \" class=\"graphic\" src=\"/Library/Images/2967134.png\" title=\"insert graphic \"/> For longer lists, consider saving the output to a file: <pre class=\"sbody-pre\">.\\Get-SettingsWithCPassword.ps1 \u2013path \u201cC:\\Windows\\SYSVOL\\domain\u201d | ConvertTo-Html > gpps.html </pre><h4 class=\"sbody-h4\">Removing CPassword preferences </h4>In order to remove the preferences that contain CPassword data, we suggest that you use Group Policy Management Console (GPMC) on the domain controller or from a client that has Remote Server Administration Tools installed. You can remove any preference in five steps on these consoles. To do this, follow these steps: <ol class=\"sbody-num_list\"><li>In GPMC, open the preference that contains CPassword data. </li><li>Change the action to Delete or Disable, as applicable to the preference.</li><li>Click OK to save your changes. </li><li>Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.</li><li>After changes are applied on all clients, delete the preference.</li><li>Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.</li></ol><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\">File hash information </div><div class=\"faq-panel-body\" faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2928120-ia64.msu</td><td class=\"sbody-td\">B2A74305CB56191774BFCF9FCDEAA983B26DC9A6</td><td class=\"sbody-td\">DCE8C0F9CEB97DBF1F7B9BAF76458B3770EF01C0EDC581621BC8C3B2C7FD14E7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2928120-x64.msu</td><td class=\"sbody-td\">386457497682A2FB80BC93346D85A9C1BC38FBF7</td><td class=\"sbody-td\">1AF67EB12614F37F4AC327E7B5767AFA085FE676F6E81F0CED95D20393A1D38D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2928120-x86.msu</td><td class=\"sbody-td\">42FF283781CEC9CE34EBF459CA1EFE011D5132C3</td><td class=\"sbody-td\">016D7E9DBBC5E487E397BE0147B590CFBBB5E83795B997894870EC10171E16D4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2928120-ia64.msu</td><td class=\"sbody-td\">5C2196832EC94B99AAF9B074D3938525B7219690</td><td class=\"sbody-td\">9958FA58134F55487521243AD9740BEE0AC210AC290D45C8322E424B3E5EBF16</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2928120-x64.msu</td><td class=\"sbody-td\">EA5332F4E289DC799611EAB8E3EE2E86B7880A4B</td><td class=\"sbody-td\">417A2BA34F8FD367556812197E2395ED40D8B394F9224CDCBE8AB3939795EC2A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2928120-x86.msu</td><td class=\"sbody-td\">7B7B6EE24CD8BE1AB3479F9E1CF9C98982C8BAB1</td><td class=\"sbody-td\">603206D44815EF2DC262016ED13D6569BE13D06E2C6029FB22621027788B8095</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2928120-x64.msu</td><td class=\"sbody-td\">E18FC05B4CCA0E195E62FF0AE534BA39511A8593</td><td class=\"sbody-td\">FCAED97BF1D61F60802D397350380FADED71AED64435D3E9EAA4C0468D80141E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2928120-x86.msu</td><td class=\"sbody-td\">A5DFB34F3B9EAD9FA78C67DFC7ACACFA2FBEAC0B</td><td class=\"sbody-td\">7F00A72D8A15EB2CA70F7146A8014E39A71CFF5E39596F379ACD883239DABD41</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2928120-x64.msu</td><td class=\"sbody-td\">A07FF14EED24F3241D508C50E869540915134BB4</td><td class=\"sbody-td\">6641B1A9C95A7E4F0D5A247B9F488887AC94550B7F1D7B1198D5BCBA92F7A753</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2928120-x86.msu</td><td class=\"sbody-td\">DE84667EC79CBA2006892452660EB99580D27306</td><td class=\"sbody-td\">468EE4FA3A22DDE61D85FD3A9D0583F504105DF2F8256539051BC0B1EB713E9C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2961899-x64.msu</td><td class=\"sbody-td\">10BAE807DB158978BCD5D8A7862BC6B3EF20038B</td><td class=\"sbody-td\">EC26618E23D9278FC1F02CA1F13BB289E1C6C4E0C8DA5D22E1D9CDA0DA8AFF51</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2961899-x86.msu</td><td class=\"sbody-td\">230C64447CC6E4AB3AD7B4D4655B8D8CEFBFBE98</td><td class=\"sbody-td\">E3FAD567AB6CA616E42873D3623A777185BE061232B952938A8846A974FFA7AF</td></tr></table></div></div> </div></div></div></div></body></html>", "edition": 2, "cvss3": {}, "published": "2014-05-13T00:00:00", "type": "mskb", "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1812"], "modified": "2015-09-29T18:37:40", "id": "KB2962486", "href": "https://support.microsoft.com/en-us/help/2962486/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:27:36", "description": "The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka \"Group Policy Preferences Password Elevation of Privilege Vulnerability.\"", "cvss3": {}, "published": "2014-05-14T11:13:00", "type": "cve", "title": "CVE-2014-1812", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1812"], "modified": "2019-05-13T19:40:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2014-1812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1812", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T19:16:45", "description": "Windows File Handling code execution, Group Policy Preferences privileges escalation. .Net privileges escalation. Windows Shell privileges escalation. iSCSI DoS.", "edition": 2, "cvss3": {}, "published": "2014-05-14T00:00:00", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-1807", "CVE-2014-0255", "CVE-2014-0315", "CVE-2014-1812", "CVE-2014-1806", "CVE-2014-0256"], "modified": "2014-05-14T00:00:00", "id": "SECURITYVULNS:VULN:13769", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13769", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "qualysblog": [{"lastseen": "2020-12-22T22:56:21", "description": "#### **_Qualys Researchers found Millions of devices exposed to vulnerabilities used in the stolen FireEye Red Team tools and SolarWinds Orion by analyzing the anonymized set of vulnerabilities across Qualys\u2019 worldwide customer base_**\n\n##### **_Qualys to offer a free 60-day integrated Vulnerability Management, Detection and Response service to help organizations quickly assess the devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools, and to remediate them and track their remediation via dynamic dashboards. Register at <https://www.qualys.com/solarhack/>_**\n\nOn Dec 8, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) the theft of its Red Team assessment tools which leverage over 16 known CVE\u2019s to exploit client environments to test and validate their security posture. [FireEye also confirmed](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>) a trojanized version of SolarWinds Orion software was used to facilitate this theft.\n\nAccess to these sophisticated FireEye Red Team tools stolen by the attackers increases the risk of an attack on an organization\u2019s critical infrastructure. Red teams often use a known set of vulnerabilities to exploit and quickly compromise systems to simulate what a real attacker can do in the network. If these tools fall into the wrong hands, it will increase the chances of successfully exploiting the vulnerabilities.\n\n### Why is this security incident so important?\n\nTo underscore the seriousness of this breach, the Department of Homeland Security has issued an [emergency directive](<https://cyber.dhs.gov/ed/21-01/>) ordering all federal agencies to take immediate steps in mitigating the risk of SolarWinds Orion applications and other security vulnerabilities related to the stolen FireEye Red Team tools. They\u2019ve also strongly recommended that commercial organizations adhere to the same guidance.\n\n### 7+ million vulnerable instances open to potential attack across networks of global organizations analyzed by Qualys researchers\n\nThe Qualys Cloud Platform is the most widely used platform for Vulnerability Management by global organizations. Qualys Vulnerability Research Teams continuously investigate vulnerabilities being exploited by attackers. Since the public release of this information by FireEye and SolarWinds, our researchers have analyzed the state of these anonymized vulnerabilities across networks of organizations using Qualys Cloud Platform. While the number of vulnerable instances of SolarWinds Orion are in the hundreds, our analysis has identified over 7.54 million vulnerable instances related to FireEye Red Team tools across 5.29 million unique assets, highlighting the scope of the potential attack surface if these tools are misused. Organizations need to move quickly to immediately protect themselves from being exploited by these vulnerabilities.\n\nThe good news is that patches have been available for these vulnerabilities for some time. Interestingly, further analysis of those 7.54 million vulnerable instances indicated about 7.53 million or roughly 99.84% are from only eight vulnerabilities in Microsoft\u2019s software as listed below. Luckily Microsoft patches have been available for a while.\n\n### List of 8 patchable security vulnerabilities to significantly reduce attack surface\n\n**CVE ID** | **Release Date** | **Name** | **CVSS** | **Qualys QID(s)** \n---|---|---|---|--- \nCVE-2020-1472 | 08/11/2020 | Microsoft Windows Netlogon Elevation of Privilege Vulnerability| 10 | 91668 \nCVE-2019-0604 | 02/12/2019 | Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2019 Microsoft SharePoint| 9.8 | 110330 \nCVE-2019-0708 | 05/14/2019 | Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (Blue. Keep)| 9.8 | 91541, 91534 \nCVE-2014-1812 | 05/13/2014 | Microsoft Windows Group Policy Preferences Password Elevation of Privilege Vulnerability (KB2962486)| 9 | 91148, 90951 \nCVE-2020-0688 | 02/11/2020 | Microsoft Exchange Server Security Update for February 2020 | 8.8 | 50098 \nCVE-2016-0167 | 04/12/2016 | Microsoft Windows Graphics Component Security Update (MS16-039)| 7.8 | 91204 \nCVE-2017-11774| 10/10/2017 | Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2017 | 7.8 | 110306 \nCVE-2018-8581 | 11/13/2018 | Microsoft Exchange Server Elevation of Privilege Vulnerability| 7.4 | 53018 \n \n* See the [full list of 16 exploitable vulnerabilities and their patch links](<https://blog.qualys.com/vulnerabilities-research/2020/12/09/theft-of-cybersecurity-tools-fireeye-breach>).\n\n### Recommended action to mitigate the risk immediately\n\nBased on sheer risk and scale of these vulnerabilities, it is imperative for organizations to quickly assess the state of these vulnerabilities and missing patches across all their assets impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools.\n\n * Immediately deploy applicable patches for all above vulnerabilities across the affected assets.\n * Power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from the network, until patch - is applied.\n * Apply security hygiene controls for the impacted software and operating system to reduce the impact.\n * Search for existence of the following files:\n * [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]\n * [C:\\WINDOWS\\SysWOW64\\netsetupsvc.dll]\n\nand other Indications of Compromise, and remove them along with killing the parent processes that touched them.\n\n### Qualys brings free 60-day integrated Vulnerability Management, Detection and Response service to detect and patch these vulnerabilities\n\nTo help global organizations, Qualys is offering a free service for 60 days, to rapidly address this risk. The service enables customers with -\n\n * Real-time, up-to-date inventory and automated organization of all assets, applications, services running across the hybrid-IT environment\n * Continuous view of all critical vulnerabilities and their prioritization based on real-time threat indicators and attack surface\n * Automatic correlation of applicable patches for identified vulnerabilities\n * Patch Deployment via Qualys Cloud Agents with zero impact to VPN bandwidth\n * Security configuration hygiene assessment to apply as compensating controls to reduce vulnerability risk\n * Unified dashboards that consolidate all insights for management visualization via a single pane of glass\n\nIn addition to Qualys VMDR and Patch Management, organizations can also leverage additional capabilities like EDR and FIM to detect additional indicators of compromise such as malicious files, hashes and remove them from their environment.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/solori2-1070x661.png)VMDR prioritization screen with Solorigate SUNBURST RTI selected ![](https://blog.qualys.com/wp-content/uploads/2020/12/dashboard-image.png)Qualys Unified Dashboard showing FireEye Red Team tools & Solorigate/SUNBURST risk\n\n### Existing Qualys customers can immediately leverage their accounts to mitigate their exposure for recommended actions\n\n * Inventory the compromised versions of SolarWinds and VMware applications as well as other actively running services, and processes.\n * Detect all applicable vulnerabilities related to Solorigate/SUNBURST, FireEye tools as well as VMware applications along with a prioritized list of appropriate patches to deploy.\n * Immediately deploy prioritized patches for the above critical vulnerabilities. In case a patch cannot be applied immediately, it leverages the compensating controls to reduce the risk impact until patches can be applied.\n * Additionally, it can detect for the evidence of malicious files and IOCs related to SolarWinds applications and FireEye compromised toolsets and remove them.\n\n### Additional resources\n\n * [CISA Emergency Directive 21-01](<https://cyber.dhs.gov/ed/21-01/>)\n * [SolarWinds Security Advisory](<https://www.solarwinds.com/securityadvisory>)\n * [FireEye Red Team tools countermeasures](<https://github.com/fireeye/red_team_tool_countermeasure>)\n * [Qualys Research on FireEye Theft](<https://blog.qualys.com/vulnerabilities-research/2020/12/09/theft-of-cybersecurity-tools-fireeye-breach>)\n * [Qualys Research on SolarWinds](<https://blog.qualys.com/vulnerabilities-research/2020/12/14/fireeye-breach-leveraged-solarwinds-orion-software>)\n * [How to quickly deploy Qualys cloud agents for Inventory, Vulnerability and Patch Management](<https://blog.qualys.com/product-tech/2020/03/24/how-to-install-the-qualys-cloud-agent-for-remote-workforce>)", "cvss3": {}, "published": "2020-12-22T21:17:31", "type": "qualysblog", "title": "Qualys Security Advisory: SolarWinds / FireEye", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2020-12-22T21:17:31", "id": "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T00:22:53", "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Solori3-1-1070x417.png)\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Screen-Shot-2020-12-11-at-2.33.14-PM-1070x524.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/fireeye-feed2-1070x667.png)\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/TOP-2-1-1070x1747.png) \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-18.png)\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-19.png)\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Solori3-1-1070x417.png)\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n![](https://blog.qualys.com/wp-content/uploads/2021/01/fireeyepatches-1070x528.png)\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/assetsfireeye-1070x532.png)\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\$UTILITY\$.ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-2.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-4.png)\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "cvss3": {}, "published": "2020-12-10T00:48:29", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-01-19T15:19:46", "description": "### *Detect date*:\n11/11/2014\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to bypass security restrictions, cause denial of service gain privileges, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nWindows XP Service pack 3 \nWindows XP Professional x64 Service Pack 3 \nWindows Server 2003 x86, x64, Itanium Service Pack 2 \nWindows Vista x86, x64 Service Pack 2 \nWindows Server 2008 x86, x64, Itanium Service Pack 2 \nWindows 7 x86, x64 Service Pack 1 \nWindows Server 2008 R2 x64, Itanium Service Pacl 1 \nWindows 8 x86, x64 \nWindows 8.1 x86, x64 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows RT \nWindows RT 8.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2014-1816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1816>) \n[CVE-2014-6532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6532>) \n[CVE-2014-0266](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0266>) \n[CVE-2014-4076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4076>) \n[CVE-2014-6321](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6321>) \n[CVE-2014-6322](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6322>) \n[CVE-2014-6324](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6324>) \n[CVE-2014-1767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1767>) \n[CVE-2014-4077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4077>) \n[CVE-2014-4074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4074>) \n[CVE-2014-1807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1807>) \n[CVE-2013-5065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-5065>) \n[CVE-2014-0300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0300>) \n[CVE-2014-0323](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0323>) \n[CVE-2014-4971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4971>) \n[CVE-2014-0301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0301>) \n[CVE-2014-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0262>) \n[CVE-2014-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0263>) \n[CVE-2014-4115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4115>) \n[CVE-2014-4113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4113>) \n[CVE-2014-0315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0315>) \n[CVE-2014-0316](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0316>) \n[CVE-2014-0317](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0317>) \n[CVE-2014-0255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0255>) \n[CVE-2014-0318](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0318>) \n[CVE-2014-4118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4118>) \n[CVE-2014-6352](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6352>) \n[CVE-2014-6332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6332>) \n[CVE-2014-0296](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0296>) \n[CVE-2014-0256](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0256>) \n[CVE-2014-1811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1811>) \n[CVE-2014-0254](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0254>) \n[CVE-2014-1819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1819>) \n[CVE-2014-6355](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6355>) \n[CVE-2014-2780](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-2780>) \n[CVE-2014-2781](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-2781>) \n[CVE-2014-1812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1812>) \n[CVE-2014-4064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4064>) \n[CVE-2014-6318](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6318>) \n[CVE-2014-1814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1814>) \n[CVE-2014-4060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4060>) \n[CVE-2014-1824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1824>) \n[CVE-2014-6317](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6317>) \n[CVE-2014-4114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4114>) \n[CVE-2014-4148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2014-1816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1816>)4.3Warning \n[CVE-2014-6532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6532>)9.3Critical \n[CVE-2014-0266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0266>)7.1High \n[CVE-2014-4076](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076>)7.2High \n[CVE-2014-6322](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6322>)4.3Warning \n[CVE-2014-6324](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324>)9.0Critical \n[CVE-2014-1767](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1767>)7.2High \n[CVE-2014-4077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4077>)9.3Critical \n[CVE-2014-4074](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4074>)7.2High \n[CVE-2014-1807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1807>)7.2High \n[CVE-2013-5065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065>)7.2High \n[CVE-2014-0300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0300>)7.2High \n[CVE-2014-0323](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0323>)6.6High \n[CVE-2014-4971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4971>)7.2High \n[CVE-2014-0301](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0301>)9.3Critical \n[CVE-2014-0262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0262>)7.2High \n[CVE-2014-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0263>)9.3Critical \n[CVE-2014-4115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4115>)7.2High \n[CVE-2014-4113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4113>)7.2High \n[CVE-2014-0315](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0315>)6.9High \n[CVE-2014-0316](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0316>)7.5Critical \n[CVE-2014-0317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0317>)5.4High \n[CVE-2014-0255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0255>)5.0Critical \n[CVE-2014-0318](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0318>)7.2High \n[CVE-2014-4118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4118>)9.3Critical \n[CVE-2014-6352](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352>)9.3Critical \n[CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>)9.3Critical \n[CVE-2014-0296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0296>)5.1High \n[CVE-2014-0256](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0256>)5.0Critical \n[CVE-2014-1811](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1811>)5.0Critical \n[CVE-2014-0254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0254>)7.8Critical \n[CVE-2014-1819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1819>)7.2High \n[CVE-2014-6355](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6355>)5.0Critical \n[CVE-2014-2780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2780>)6.9High \n[CVE-2014-2781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2781>)7.6Critical \n[CVE-2014-1812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1812>)9.0Critical \n[CVE-2014-4064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4064>)4.9Warning \n[CVE-2014-6318](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6318>)4.3Warning \n[CVE-2014-1814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1814>)7.2High \n[CVE-2014-4060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4060>)6.8High \n[CVE-2014-1824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1824>)9.3Critical \n[CVE-2014-6317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6317>)7.1High \n[CVE-2014-4114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4114>)9.3Critical \n[CVE-2014-4148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4148>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[2966631](<http://support.microsoft.com/kb/2966631>) \n[2957482](<http://support.microsoft.com/kb/2957482>) \n[2966061](<http://support.microsoft.com/kb/2966061>) \n[2939576](<http://support.microsoft.com/kb/2939576>) \n[2922229](<http://support.microsoft.com/kb/2922229>) \n[2973201](<http://support.microsoft.com/kb/2973201>) \n[2975689](<http://support.microsoft.com/kb/2975689>) \n[2957189](<http://support.microsoft.com/kb/2957189>) \n[3013126](<http://support.microsoft.com/kb/3013126>) \n[2969259](<http://support.microsoft.com/kb/2969259>) \n[2929961](<http://support.microsoft.com/kb/2929961>) \n[3010788](<http://support.microsoft.com/kb/3010788>) \n[2984615](<http://support.microsoft.com/kb/2984615>) \n[2914368](<http://support.microsoft.com/kb/2914368>) \n[3003743](<http://support.microsoft.com/kb/3003743>) \n[3002885](<http://support.microsoft.com/kb/3002885>) \n[2904659](<http://support.microsoft.com/kb/2904659>) \n[2961858](<http://support.microsoft.com/kb/2961858>) \n[3005607](<http://support.microsoft.com/kb/3005607>) \n[2962490](<http://support.microsoft.com/kb/2962490>) \n[2592687](<http://support.microsoft.com/kb/2592687>) \n[2966034](<http://support.microsoft.com/kb/2966034>) \n[2993958](<http://support.microsoft.com/kb/2993958>) \n[2988948](<http://support.microsoft.com/kb/2988948>) \n[2961072](<http://support.microsoft.com/kb/2961072>) \n[2926765](<http://support.microsoft.com/kb/2926765>) \n[2973932](<http://support.microsoft.com/kb/2973932>) \n[2962123](<http://support.microsoft.com/kb/2962123>) \n[2998579](<http://support.microsoft.com/kb/2998579>) \n[2989935](<http://support.microsoft.com/kb/2989935>) \n[2973906](<http://support.microsoft.com/kb/2973906>) \n[2961899](<http://support.microsoft.com/kb/2961899>) \n[2933826](<http://support.microsoft.com/kb/2933826>) \n[2962478](<http://support.microsoft.com/kb/2962478>) \n[2975685](<http://support.microsoft.com/kb/2975685>) \n[2975684](<http://support.microsoft.com/kb/2975684>) \n[2916036](<http://support.microsoft.com/kb/2916036>) \n[2975681](<http://support.microsoft.com/kb/2975681>) \n[2978742](<http://support.microsoft.com/kb/2978742>) \n[2933528](<http://support.microsoft.com/kb/2933528>) \n[2934418](<http://support.microsoft.com/kb/2934418>) \n[2993254](<http://support.microsoft.com/kb/2993254>) \n[2978668](<http://support.microsoft.com/kb/2978668>) \n[2974286](<http://support.microsoft.com/kb/2974286>) \n[2928120](<http://support.microsoft.com/kb/2928120>) \n[2991963](<http://support.microsoft.com/kb/2991963>) \n[2992611](<http://support.microsoft.com/kb/2992611>) \n[3000869](<http://support.microsoft.com/kb/3000869>) \n[3011443](<http://support.microsoft.com/kb/3011443>) \n[2923392](<http://support.microsoft.com/kb/2923392>) \n[2962488](<http://support.microsoft.com/kb/2962488>) \n[2918614](<http://support.microsoft.com/kb/2918614>) \n[2962485](<http://support.microsoft.com/kb/2962485>) \n[2889913](<http://support.microsoft.com/kb/2889913>) \n[2912390](<http://support.microsoft.com/kb/2912390>) \n[2962486](<http://support.microsoft.com/kb/2962486>) \n[2930275](<http://support.microsoft.com/kb/2930275>) \n[2919355](<http://support.microsoft.com/kb/2919355>) \n[2965788](<http://support.microsoft.com/kb/2965788>) \n[2972280](<http://support.microsoft.com/kb/2972280>) \n[2962073](<http://support.microsoft.com/kb/2962073>) \n[2971850](<http://support.microsoft.com/kb/2971850>) \n[2992719](<http://support.microsoft.com/kb/2992719>) \n[2993651](<http://support.microsoft.com/kb/2993651>) \n[3000061](<http://support.microsoft.com/kb/3000061>) \n[2913602](<http://support.microsoft.com/kb/2913602>) \n[2976897](<http://support.microsoft.com/kb/2976897>) \n[2973408](<http://support.microsoft.com/kb/2973408>) \n[3006226](<http://support.microsoft.com/kb/3006226>) \n[3011780](<http://support.microsoft.com/kb/3011780>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {}, "published": "2014-11-11T00:00:00", "type": "kaspersky", "title": "KLA10601 Multiple vulnerabilities in Microsoft products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5065", "CVE-2014-0254", "CVE-2014-0255", "CVE-2014-0256", "CVE-2014-0262", "CVE-2014-0263", "CVE-2014-0266", "CVE-2014-0296", "CVE-2014-0300", "CVE-2014-0301", "CVE-2014-0315", "CVE-2014-0316", "CVE-2014-0317", "CVE-2014-0318", "CVE-2014-0323", "CVE-2014-1767", "CVE-2014-1807", "CVE-2014-1811", "CVE-2014-1812", "CVE-2014-1814", "CVE-2014-1816", "CVE-2014-1819", "CVE-2014-1824", "CVE-2014-2780", "CVE-2014-2781", "CVE-2014-4060", "CVE-2014-4064", "CVE-2014-4074", "CVE-2014-4076", "CVE-2014-4077", "CVE-2014-4113", "CVE-2014-4114", "CVE-2014-4115", "CVE-2014-4118", "CVE-2014-4148", "CVE-2014-4971", "CVE-2014-6317", "CVE-2014-6318", "CVE-2014-6321", "CVE-2014-6322", "CVE-2014-6324", "CVE-2014-6332", "CVE-2014-6352", "CVE-2014-6355", "CVE-2014-6532"], "modified": "2022-01-18T00:00:00", "id": "KLA10601", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10601/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}