Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS15-031.NASL
HistoryMar 10, 2015 - 12:00 a.m.

MS15-031: Vulnerability in Schannel Could Allow Security Feature Bypass (3046049) (FREAK)

2015-03-1000:00:00
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
51
JSON

The remote Windows host is affected by a security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81745);
  script_version("1.12");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-1637");
  script_bugtraq_id(72965);
  script_xref(name:"CERT", value:"243585");
  script_xref(name:"MSFT", value:"MS15-031");
  script_xref(name:"MSKB", value:"3046049");

  script_name(english:"MS15-031: Vulnerability in Schannel Could Allow Security Feature Bypass (3046049) (FREAK)");
  script_summary(english:"Checks the version of schannel.dll.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a security feature bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a security feature bypass
vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys),
due to the support of weak EXPORT_RSA cipher suites with keys less
than or equal to 512 bits. A man-in-the-middle attacker may be able to
downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which
can be factored in a short amount of time, allowing the attacker to
intercept and decrypt the traffic.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-031");
  script_set_attribute(attribute:"see_also", value:"https://www.smacktls.com/#freak");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2003, Vista, 2008,
7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1637");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-031';

kb = "3046049";
kbs = make_list(
  kb
);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

# The 2k3 checks could flag XP 64, which is unsupported
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows XP" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

if (
  # Windows 8.1 / 2012 R2
  hotfix_is_vulnerable(os:"6.3", file:"schannel.dll", version:"6.3.9600.17702", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 8 / 2012
  hotfix_is_vulnerable(os:"6.2", file:"schannel.dll", version:"6.2.9200.21410", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", file:"schannel.dll", version:"6.2.9200.17293", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 / 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"schannel.dll", version:"6.1.7601.22983", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"schannel.dll", version:"6.1.7601.18779", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"schannel.dll", version:"6.0.6002.23640", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"schannel.dll", version:"6.0.6002.19332", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"schannel.dll", version:"5.2.3790.5564", dir:"\system32", bulletin:bulletin, kb:kb)

)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

threatpost 1
thn 1
openvas 1
nessus 2
kaspersky 1
checkpoint_advisories 2
f5 2
cvelist 2
cve 2
prion 2
securityvulns 1
threatpost
threatpost
Microsoft Schannel Vulnerable to FREAK
2015-03-05 16:19:27
thn
thn
Microsoft: All Windows versions Vulnerable to FREAK Vulnerability
2015-03-05 21:01:00
openvas
openvas
Microsoft Schannel Security Feature Bypass Vulnerability (3046049)
2015-03-11 00:00:00
nessus
nessus
MS KB3046015: Vulnerability in Schannel Could Allow Security Feature Bypass (FREAK)
2015-03-05 00:00:00
Lexmark Printer config.html Administrator Authentication Bypass (FREAK)
2015-10-19 00:00:00
kaspersky
kaspersky
KLA10459 Security bypass vulnerability in Microsoft Windows
2015-03-10 00:00:00
checkpoint_advisories
checkpoint_advisories
OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204; CVE-2015-1637)
2015-03-04 00:00:00
SSL Export Cipher Suite (CVE-2015-0204; CVE-2015-1637)
2015-03-04 00:00:00
f5
f5
K16903 : Microsoft Schannel vulnerability CVE-2015-1637
2015-07-13 00:00:00
SOL16903 - Microsoft Schannel vulnerability CVE-2015-1637
2015-07-13 00:00:00
cvelist
cvelist
CVE-2015-1067
2015-03-11 01:00:00
CVE-2015-1637
2015-03-06 17:00:00
cve
cve
CVE-2015-1637
2015-03-06 17:59:00
CVE-2015-1067
2015-03-11 01:59:00
prion
prion
Design/Logic Flaw
2015-03-11 01:59:00
Design/Logic Flaw
2015-03-06 17:59:00
securityvulns
securityvulns
Microsoft Windows multiple security vulnerabilities
2015-04-16 00:00:00
JSON
Related for SMB_NT_MS15-031.NASL
threatpost1thn1openvas1nessus2kaspersky1checkpoint_advisories2f52cvelist2cve2prion2securityvulns1