4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
44.1%
The remote Windows host is missing a security update. It is, therefore, affected by a security bypass vulnerability in Secure Boot due to improper handling of malicious boot managers. An attacker with administrative privileges can exploit this vulnerability to bypass code integrity checks and load test-signed executables and drivers.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(92822);
script_version("1.10");
script_cvs_date("Date: 2019/11/14");
script_cve_id("CVE-2016-3320");
script_bugtraq_id(92304);
script_xref(name:"MSFT", value:"MS16-100");
script_xref(name:"MSKB", value:"3172729");
script_xref(name:"IAVB", value:"2016-B-0122");
script_name(english:"MS16-100: Security Update for Secure Boot (3179577)");
script_summary(english:"Checks the version of tpmtasks.dll.");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a security bypass
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is missing a security update. It is,
therefore, affected by a security bypass vulnerability in Secure Boot
due to improper handling of malicious boot managers. An attacker with
administrative privileges can exploit this vulnerability to bypass
code integrity checks and load test-signed executables and drivers.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-100");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1,
2012 R2, and 10. Alternatively, as a workaround, configure BitLocker
to use Trusted Platform Module (TPM)+PIN protection or disable Secure
Boot integrity protection of BitLocker per the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3320");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/09");
script_set_attribute(attribute:"patch_publication_date", value:"2016/08/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("datetime.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS16-100';
kbs = make_list('3172729');
rls_vuln = FALSE;
vuln = FALSE;
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
get_kb_item_or_exit("SMB/Registry/Enumerated");
os_version = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
local_arch = get_kb_item("SMB/ARCH");
if(hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0)
audit(AUDIT_OS_SP_NOT_VULN);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "Windows 8.1" >!< productname)
audit(AUDIT_OS_SP_NOT_VULN);
systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');
# No file version to check in windows 10
# So check registry to see if update was installed.
if(os_version == "10")
{
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
# Check release (10 base and 1511 are vuln, 1607 is not)
key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion";
release = NULL;
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
release = RegQueryValue(handle:key_h, item:'ReleaseId');
if (!isnull(release)) release = release[1];
RegCloseKey(handle:key_h);
}
if(release == "1511" || empty_or_null(release)) rls_vuln = TRUE;
if(local_arch == "x64")
{
key="SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB3172729~31bf3856ad364e35~amd64~~10.0.1.1";
}
else
{
key="SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB3172729~31bf3856ad364e35~x86~~10.0.1.1";
}
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:'InstallName');
if (!isnull(value)) entry = value[1];
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);
if ("KB3172729" >< entry || !rls_vuln)
{
audit(AUDIT_HOST_NOT, 'affected');
}
vuln = TRUE;
report = '\nKB3046269 is not installed on this Windows 10 System\n';
hotfix_add_report(bulletin:bulletin, kb:"3172729", report);
}
if (
# Windows 8.1 / Windows Server 2012 R2
hotfix_is_vulnerable(os:"6.3", sp:0, file:"tpmtasks.dll", version:"6.3.9600.18408", dir:"\system32", bulletin:bulletin, kb:"3172729") ||
# Windows Server 2012
hotfix_is_vulnerable(os:"6.2", sp:0, file:"tpmtasks.dll", version:"6.2.9200.21926", dir:"\system32", bulletin:bulletin, kb:"3172729") ||
vuln
)
{
set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_warning();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
44.1%