Windows 10 / Windows Server 2016 September 2017 Information Disclosure Vulnerability (CVE-2017-8529)

2020-05-28T00:00:00
ID SMB_NT_MS17_SEP_CVE-2017-8529.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-05-28T00:00:00

Description

The remote Windows host is missing a security update or a registry setting required to enable protections for CVE-2017-8529. It is, therefore, affected by an information disclosure vulnerability:

  • An information disclosure vulnerability exists when affected Microsoft scripting engines do not properly handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('compat.inc');

if (description)
{
  script_id(136946);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-8529");
  script_bugtraq_id(98953);
  script_xref(name:"MSKB", value:"4038781");
  script_xref(name:"MSFT", value:"MS17-4038781");
  script_xref(name:"MSKB", value:"4038783");
  script_xref(name:"MSFT", value:"MS17-4038783");
  script_xref(name:"MSKB", value:"4038782");
  script_xref(name:"MSFT", value:"MS17-4038782");
  script_xref(name:"MSKB", value:"4038788");
  script_xref(name:"MSFT", value:"MS17-4038788");

  script_name(english:"Windows 10 / Windows Server 2016 September 2017 Information Disclosure Vulnerability (CVE-2017-8529)");
  script_summary(english:"Checks for presence of the patch rollup and registry key(s).");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by an information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing a security update or a registry setting
required to enable protections for CVE-2017-8529. It is, therefore, affected by an
information disclosure vulnerability:

- An information disclosure vulnerability exists when affected Microsoft
scripting engines do not properly handle objects in memory. The vulnerability
could allow an attacker to detect specific files on the user's computer. In a
web-based attack scenario, an attacker could host a website that is used to
attempt to exploit the vulnerability.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1f6a3c24");
  script_set_attribute(attribute:"solution", value:
"Refer to the Microsoft CVE article for additional information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8529");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('audit.inc');
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');
include('misc_func.inc');

function is_print_fix_enabled(kb)
{
  var keyx86 = "SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplore.exe";
  var keyx64 = "SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplore.exe";
  registry_init();
  var result = check_print_fix(key:keyx86);
  var ret_result = FALSE;
  var report = '';
  if(result != 'set')
  {
    report += '\nThe following registry key is required to enable the fix for CVE-2017-8529 and is ' + result + '\n  ';
    report += 'HKLM\\' + keyx86;
    report += '\n';
    ret_result = TRUE;
  }
  var arch = get_kb_item('SMB/ARCH');
  if(!isnull(arch) && arch == 'x64')
  {
    var x64result = check_print_fix(key:keyx64);
    if(x64result != 'set')
    {
      report += '\nThe following registry key is required to enable the fix for CVE-2017-8529 and is ' + x64result + '\n  ';
      report += 'HKLM\\' + keyx64;
      report += '\n';
      ret_result = TRUE;
    }

  }
  close_registry();
  if(ret_result)
  { 
    hotfix_add_report(bulletin:'MS17-06', kb:kb, report);
  }

  return ret_result;
}

function check_print_fix(key)
{
  var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
  var key_h = get_registry_value(handle:hklm, item:key);
  RegCloseKey(handle:hklm);
  if(isnull(key_h))
    return 'missing.';
  else if(key_h == 0)
    return 'not enabled.';
  else
    return 'set';
}


get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

## NB: Microsoft 
bulletin = 'MS17-09';
kbs = make_list(
  '4038781',
  '4038783',
  '4038782',
  '4038788'
);

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (get_kb_item('Host/patch_management_checks')) 
  exit(0, 'Patch coverage provided by monthly rollup plugin.');

# Update only applies to Window 10 / Server 2016
if (hotfix_check_sp_range(win10:'0') <= 0 || hotfix_check_server_core() == 1 || hotfix_check_server_nano() == 1) 
  audit(AUDIT_OS_SP_NOT_VULN);


os_build = get_kb_item('SMB/WindowsVersionBuild');

switch (os_build)
{
  case 10240: # Windows 10 RTM
    kb = '4038781';
    break;
  case 10586: # Windows 10 1511
    kb = '4038783';
    break;
  case 14393: # Windows 10 1607 / Windows Server 2016
    kb = '4038782';
    break;
  case 15063: # Windows 10 1703
    kb = '4038788';
    break;
  default:
    audit(AUDIT_OS_SP_NOT_VULN);
}

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

# Run them all separately and avoid a bitwise or in the if statement
rollupBool = (smb_check_rollup(os:'10', sp:0, os_build:os_build, rollup_date:'09_2017', bulletin:bulletin, rollup_kb_list:[kb]));
printfixBool = (is_print_fix_enabled());

if (rollupBool || printfixBool)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}