The remote Windows host is missing multiple security updates released on 2017/11/14. It is, therefore, affected by multiple vulnerabilities :
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");
if (description)
{
script_id(104561);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/04");
script_cve_id(
"CVE-2017-11788",
"CVE-2017-11831",
"CVE-2017-11832",
"CVE-2017-11835",
"CVE-2017-11847",
"CVE-2017-11849",
"CVE-2017-11851",
"CVE-2017-11852",
"CVE-2017-11853",
"CVE-2017-11880"
);
script_bugtraq_id(
101711,
101721,
101726,
101729,
101736,
101739,
101755,
101762,
101763,
101764
);
script_xref(name:"MSKB", value:"4046184");
script_xref(name:"MSFT", value:"MS17-4046184");
script_xref(name:"MSKB", value:"4047211");
script_xref(name:"MSFT", value:"MS17-4047211");
script_xref(name:"MSKB", value:"4048968");
script_xref(name:"MSFT", value:"MS17-4048968");
script_xref(name:"MSKB", value:"4048970");
script_xref(name:"MSFT", value:"MS17-4048970");
script_xref(name:"MSKB", value:"4049164");
script_xref(name:"MSFT", value:"MS17-4049164");
script_name(english:"Windows 2008 November 2017 Multiple Security Updates");
script_summary(english:"Checks the existence of Windows Server 2008 November 2017 Patches.");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is missing multiple security updates released
on 2017/11/14. It is, therefore, affected by multiple
vulnerabilities :
- An information disclosure vulnerability exists when the
Windows kernel improperly initializes objects in memory.
(CVE-2017-11880)
- An information disclosure vulnerability exists in the
way that the Microsoft Windows Embedded OpenType (EOT)
font engine parses specially crafted embedded fonts. An
attacker who successfully exploited this vulnerability
could potentially read data that was not intended to be
disclosed. Note that this vulnerability would not allow
an attacker to execute code or to elevate their user
rights directly, but it could be used to obtain
information that could be used to try to further
compromise the affected system. (CVE-2017-11832,
CVE-2017-11835)
- An elevation of privilege vulnerability exists when the
Windows kernel fails to properly handle objects in
memory. An attacker who successfully exploited this
vulnerability could run arbitrary code in kernel mode.
An attacker could then install programs; view, change,
or delete data; or create new accounts with full user
rights. (CVE-2017-11847)
- An information disclosure vulnerability exists when the
Windows kernel fails to properly initialize a memory
address. An attacker who successfully exploited this
vulnerability could obtain information to further
compromise the users system. (CVE-2017-11831,
CVE-2017-11849, CVE-2017-11853)
- A denial of service vulnerability exists when Windows
Search improperly handles objects in memory. An attacker
who successfully exploited the vulnerability could cause
a remote denial of service against a system.
(CVE-2017-11788)
- A Win32k information disclosure vulnerability exists
when the Windows GDI component improperly discloses
kernel memory addresses. An attacker who successfully
exploited the vulnerability could obtain information to
further compromise the users system. (CVE-2017-11851,
CVE-2017-11852)");
# https://support.microsoft.com/en-us/help/4046184/security-update-for-windows-information-disclosure
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?93affd27");
# https://support.microsoft.com/en-us/help/4048968/windows-eot-font-engine-information-disclosure-vulnerability
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6ae2aa8e");
# https://support.microsoft.com/en-us/help/4049164/security-update-for-information-disclosure-vulnerability-in-windows-se
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8a4acc26");
# https://support.microsoft.com/en-us/help/4048970/security-update-for-vulnerabilities-in-windows-server-2008
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2b1232ba");
# https://support.microsoft.com/en-us/help/4047211/security-update-for-the-windows-search-denial-of-service-vulnerability
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fea3380b");
script_set_attribute(attribute:"solution", value:
"Apply the following security updates :
- 4046184
- 4047211
- 4048968
- 4048970
- 4049164");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-11847");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/14");
script_set_attribute(attribute:"patch_publication_date", value:"2017/11/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS17-11';
kbs = make_list(
"4046184",
"4047211",
"4048968",
"4048970",
"4049164"
);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
# KBs only apply to Windows 2008
if (hotfix_check_sp_range(vista:'2') <= 0)
audit(AUDIT_OS_SP_NOT_VULN);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:systemroot);
winsxs_share = hotfix_path2share(path:systemroot);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, winsxs_share);
}
the_session = make_array(
'login', login,
'password', pass,
'domain', domain,
'share', winsxs_share
);
vuln = 0;
# 4049164
files = list_dir(basedir:winsxs, level:0, dir_pat:"ntfs_31bf3856ad364e35", file_pat:"^ntfs\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
sp:2,
files:files,
versions:make_list('6.0.6002.24215'),
max_versions:make_list('6.0.6003.99999'),
bulletin:bulletin,
kb:"4049164", session:the_session);
# 4047211
files = list_dir(basedir:winsxs, level:0, dir_pat:"c..ent-indexing-common_31bf3856ad364e35", file_pat:"^query\.dll$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
sp:2,
files:files,
versions:make_list('6.0.6002.24215'),
max_versions:make_list('6.0.6003.99999'),
bulletin:bulletin,
kb:"4047211", session:the_session);
# 4048970
files = list_dir(basedir:winsxs, level:0, dir_pat:"win32k_31bf3856ad364e35", file_pat:"^win32k\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
sp:2,
files:files,
versions:make_list('6.0.6002.24215'),
max_versions:make_list('6.0.6003.99999'),
bulletin:bulletin,
kb:"4048970", session:the_session);
# 4048968
files = list_dir(basedir:winsxs, level:0, dir_pat:"font-embedding_31bf3856ad364e35", file_pat:"^t2embed\.dll$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
sp:2,
files:files,
versions:make_list('6.0.6002.24215'),
max_versions:make_list('6.0.6003.99999'),
bulletin:bulletin,
kb:"4048968", session:the_session);
# 4046184
files = list_dir(basedir:winsxs, level:0, dir_pat:"lua-filevirtualization_31bf3856ad364e35", file_pat:"^luafv\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
sp:2,
files:files,
versions:make_list('6.0.6002.24215'),
max_versions:make_list('6.0.6003.99999'),
bulletin:bulletin,
kb:"4046184", session:the_session);
if (vuln > 0)
{
replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11788
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11831
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11832
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11835
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11847
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11849
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11851
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11852
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11853
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11880
www.nessus.org/u?2b1232ba
www.nessus.org/u?6ae2aa8e
www.nessus.org/u?8a4acc26
www.nessus.org/u?93affd27
www.nessus.org/u?fea3380b