{"id": "TALOSBLOG:E46C0BFC4B4F202E3D3E1160D7F01B3A", "type": "talosblog", "bulletinFamily": "blog", "title": "Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability", "description": "Vulnerabilities discovered by Marcin Noga from Talos \n \n\n\n### Overview\n\n \nTalos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file \u2014 at least not without registering a file-handler first. This vulnerability was assigned CVE-2018-8210 and a security patch was released as part of the June 2018 Microsoft Patch Tuesday release. The Microsoft advisory can be found [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>). \n \n\n\n### Details\n\nThe vulnerability exists in the LoadIntegrityInfo functions that manifest during the parsing of a WIM file header. A specially crafted WIM file can lead to a heap corruption, and remote code execution. \nThe vulnerability triggers, even on the simplest operations performed on a malformed WIM file. For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks. \n \nMore technical details can be found in the [Talos Vulnerability Reports](<https://www.talosintelligence.com/reports/TALOS-2018-0545>). \n \n\n\n### Coverage\n\nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rule: 46055-46056,46058-46059\n\n", "published": "2018-06-13T08:14:00", "modified": "2018-06-15T14:51:06", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/aPB0-5I521o/vulnerability-spotlight-talos-2018-0545.html", "reporter": "noreply@blogger.com (Holger Unterbrink)", "references": [], "cvelist": ["CVE-2018-8210"], "lastseen": "2018-07-10T22:29:40", "history": [{"bulletin": {"id": "TALOSBLOG:E46C0BFC4B4F202E3D3E1160D7F01B3A", "type": "talosblog", "bulletinFamily": "blog", "title": "Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability", "description": "Vulnerabilities discovered by Marcin Noga from Talos \n \n\n\n### Overview\n\n \nTalos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file \u2014 at least not without registering a file-handler first. \n \n\n\n### Details\n\nThe vulnerability exists in the LoadIntegrityInfo functions that manifest during the parsing of a WIM file header. A specially crafted WIM file can lead to a heap corruption, and remote code execution. \nThe vulnerability triggers, even on the simplest operations performed on a malformed WIM file. For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks. \n \nMore technical details can be found in the [Talos Vulnerability Reports](<https://www.talosintelligence.com/reports/TALOS-2018-0545>). \n \n\n\n### Coverage\n\nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rule: 46055-46056,46058-46059\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=aPB0-5I521o:P5VcxUD-chg:yIl2AUoC8zA>)\n\n", "published": "2018-06-13T08:14:00", "modified": "2018-06-13T15:14:48", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/aPB0-5I521o/vulnerability-spotlight-talos-2018-0545.html", "reporter": "noreply@blogger.com (Holger Unterbrink)", "references": [], "cvelist": [], "lastseen": "2018-06-13T16:05:37", "history": [], "viewCount": 20, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-06-13T16:05:37"}}, "objectVersion": "1.4"}, "lastseen": "2018-06-13T16:05:37", "differentElements": ["cvelist", "description", "modified"], "edition": 1}, {"bulletin": {"id": "TALOSBLOG:E46C0BFC4B4F202E3D3E1160D7F01B3A", "type": "talosblog", "bulletinFamily": "blog", "title": "Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability", "description": "Vulnerabilities discovered by Marcin Noga from Talos \n \n\n\n### Overview\n\n \nTalos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file \u2014 at least not without registering a file-handler first. This vulnerability was assigned CVE-2018-8210 and a security patch was released as part of the June 2018 Microsoft Patch Tuesday release. The Microsoft advisory can be found [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>). \n \n\n\n### Details\n\nThe vulnerability exists in the LoadIntegrityInfo functions that manifest during the parsing of a WIM file header. A specially crafted WIM file can lead to a heap corruption, and remote code execution. \nThe vulnerability triggers, even on the simplest operations performed on a malformed WIM file. For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks. \n \nMore technical details can be found in the [Talos Vulnerability Reports](<https://www.talosintelligence.com/reports/TALOS-2018-0545>). \n \n\n\n### Coverage\n\nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rule: 46055-46056,46058-46059\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=aPB0-5I521o:P5VcxUD-chg:yIl2AUoC8zA>)\n\n", "published": "2018-06-13T08:14:00", "modified": "2018-06-15T14:51:06", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/aPB0-5I521o/vulnerability-spotlight-talos-2018-0545.html", "reporter": "noreply@blogger.com (Holger Unterbrink)", "references": [], "cvelist": ["CVE-2018-8210"], "lastseen": "2018-06-15T16:08:38", "history": [], "viewCount": 20, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-06-15T16:08:38"}}, "objectVersion": "1.4"}, "lastseen": "2018-06-15T16:08:38", "differentElements": ["cvss"], "edition": 2}, {"bulletin": {"id": "TALOSBLOG:E46C0BFC4B4F202E3D3E1160D7F01B3A", "type": "talosblog", "bulletinFamily": "blog", "title": "Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability", "description": "Vulnerabilities discovered by Marcin Noga from Talos \n \n\n\n### Overview\n\n \nTalos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file \u2014 at least not without registering a file-handler first. This vulnerability was assigned CVE-2018-8210 and a security patch was released as part of the June 2018 Microsoft Patch Tuesday release. The Microsoft advisory can be found [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>). \n \n\n\n### Details\n\nThe vulnerability exists in the LoadIntegrityInfo functions that manifest during the parsing of a WIM file header. A specially crafted WIM file can lead to a heap corruption, and remote code execution. \nThe vulnerability triggers, even on the simplest operations performed on a malformed WIM file. For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks. \n \nMore technical details can be found in the [Talos Vulnerability Reports](<https://www.talosintelligence.com/reports/TALOS-2018-0545>). \n \n\n\n### Coverage\n\nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rule: 46055-46056,46058-46059\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=aPB0-5I521o:P5VcxUD-chg:yIl2AUoC8zA>)\n\n", "published": "2018-06-13T08:14:00", "modified": "2018-06-15T14:51:06", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/aPB0-5I521o/vulnerability-spotlight-talos-2018-0545.html", "reporter": "noreply@blogger.com (Holger Unterbrink)", "references": [], "cvelist": ["CVE-2018-8210"], "lastseen": "2018-06-19T08:13:39", "history": [], "viewCount": 23, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-06-19T08:13:39"}}, "objectVersion": "1.4"}, "lastseen": "2018-06-19T08:13:39", "differentElements": ["description"], "edition": 3}], "viewCount": 111, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2018-07-10T22:29:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-8210"]}, {"type": "seebug", "idList": ["SSV:97354"]}, {"type": "symantec", "idList": ["SMNTC-104407"]}, {"type": "talos", "idList": ["TALOS-2018-0545"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813529", "OPENVAS:1361412562310813527", "OPENVAS:1361412562310813528", "OPENVAS:1361412562310813530", "OPENVAS:1361412562310813526", "OPENVAS:1361412562310813532"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JUN_4284819.NASL", "SMB_NT_MS18_JUN_4284880.NASL", "SMB_NT_MS18_JUN_4284815.NASL", "SMB_NT_MS18_JUN_4284860.NASL", "SMB_NT_MS18_JUN_4284855.NASL", "SMB_NT_MS18_JUN_4284874.NASL", "SMB_NT_MS18_JUN_4284835.NASL"]}, {"type": "kaspersky", "idList": ["KLA11266"]}, {"type": "talosblog", "idList": ["TALOSBLOG:30BC73E0EDF7739A87A63A99D8A6E0D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F2BD1E9071121715A43D46B35B2E97A7"]}], "modified": "2018-07-10T22:29:40", "rev": 2}, "vulnersScore": 6.0}, "objectVersion": "1.4", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-10-04T12:26:49", "bulletinFamily": "NVD", "description": "A remote code execution vulnerability exists when Windows improperly handles objects in memory, aka \"Windows Remote Code Execution Vulnerability.\" This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8213.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-8210", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8210", "published": "2018-06-14T12:29:00", "title": "CVE-2018-8210", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2018-06-26T22:21:34", "bulletinFamily": "exploit", "description": "### Summary\r\nAn exploitable heap corruption exists in the LoadIntegrityInfo function of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). A crafted WIM image can lead to a heap corruption, resulting in direct code execution.\r\n\r\n### Tested Versions\r\nWIMGAPI 10.0.16299.15 (WinBuild.160101.0800)\r\n\r\n### Product URLs\r\nhttps://www.microsoft.com\r\n\r\n### CVSSv3 Score\r\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-122: Heap-based Buffer Overflow\r\n\r\n### Details\r\nThis vulnerability is present in the wimgapi DLL, which is used for performing operations on Windows Imaging Forma (WIM) files.\r\nWIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. There is a vulnerability in the LoadIntegrityInfo function that manifests during the parsing of the WIM file header. A specially crafted WIM file can lead to a heap corruption and remote code execution. The vulnerability triggers even on the simplest operations performed on malformed WIM file because its related to file header parsing. It triggers just after we try to obtain a WIM file handle via:\r\n```\r\nhWim = WIMCreateFile(pszWimFile.c_str(), // Path to existing .wim file\r\n WIM_GENERIC_READ, // Access mode\r\n WIM_OPEN_EXISTING, // Open disposition\r\n dwCreateFlags,\r\n 0, // Compression type is ignored for WIM_OPEN_EXISTING.\r\n &dwCreateResult);\r\n```\r\n\r\nInternally, the wimgapi will try to load part of the WIM header, which is the Integrity Table Layout. This operation is performed in the LoadIntegrityInfo function:\r\n```\r\nLine 1 signed int __thiscall LoadIntegrityInfo(void *this)\r\nLine 2 {\r\nLine 3 void *v1; // edi\r\nLine 4 signed int v2; // esi\r\nLine 5 _WIMHEADER_V1_PACKED *wimHeader; // eax MAPDST\r\nLine 6 __int64 v5; // rax\r\nLine 7 SIZE_T uncompressSize; // ST10_4\r\nLine 8 HANDLE v7; // eax\r\nLine 9 LPVOID uncompressBuffer; // eax\r\nLine 10 void *v9; // ebx\r\nLine 11 signed int v10; // eax\r\nLine 12 DWORD v11; // esi\r\nLine 13 NTSTATUS v12; // ST08_4\r\nLine 14 int v13; // eax\r\nLine 15 HANDLE v14; // eax\r\nLine 16 DWORD nNumberOfBytesToWrite; // [esp+Ch] [ebp-Ch]\r\nLine 17 int v17; // [esp+10h] [ebp-8h]\r\nLine 18\r\nLine 19 v1 = this;\r\nLine 20 v2 = 1;\r\nLine 21 wimHeader = (_WIMHEADER_V1_PACKED *)GetWimHeader(this);\r\nLine 22 if ( v1 )\r\nLine 23 {\r\nLine 24 LODWORD(v5) = *(_DWORD *)wimHeader->rhIntegrity.size_in_wim;\r\nLine 25 HIDWORD(v5) = *(_DWORD *)&wimHeader->rhIntegrity.size_in_wim[4];\r\nLine 26 nNumberOfBytesToWrite = v5;\r\nLine 27 if ( v5 )\r\nLine 28 {\r\nLine 29 if ( LODWORD(wimHeader->rhIntegrity.uncompressed_size) && !HIDWORD(wimHeader->rhIntegrity.uncompressed_size) )\r\nLine 30 {\r\nLine 31 uncompressSize = wimHeader->rhIntegrity.uncompressed_size;\r\nLine 32 v17 = HIDWORD(v5) & 0xFFFFFF;\r\nLine 33 v7 = GetProcessHeap();\r\nLine 34 uncompressBuffer = HeapAlloc(v7, 8u, uncompressSize);\r\nLine 35 v9 = uncompressBuffer;\r\nLine 36 if ( uncompressBuffer && ReadIntegrityInfo((int)v1, (int)uncompressBuffer, nNumberOfBytesToWrite, v17) )\r\nLine 37 {\r\n```\r\n\r\nAll values in the wimHeader structure come from the file and are fully controlled by attacker. The most important fields in the above code in our proof of concept have the following values:\r\n```\r\noffset 0x7C : wimHeader->rhIntegrity.size_in_wim = 0xFFF2\r\noffset 0x8C : wimHeader->rhIntegrity.uncompressed_size = 0x10\r\n```\r\n\r\nAt line 34, we see a heap buffer allocation. Its size is based on the uncompressed_size field coming from rhIntegrity structure. There is no check whether size_in_wim is bigger than the uncompressed_size field which turns out to be crucial, because further inside ReadIntegrityInfo, the size_in_wim value indicates how many bytes should be read from file into the buffer allocated based on the uncompressed_size value.\r\n```\r\nKERNELBASE!ReadFile:\r\n73d0e120 8bff mov edi,edi\r\n\r\n0:000> kb\r\n # ChildEBP RetAddr Args to Child \r\n00 0133f6fc 5003a803 0000004c 05f20ef0 0000fff2 KERNELBASE!ReadFile\r\n01 0133f734 5003a906 0000fff2 0133f7b0 00000000 WIMGAPI!ReadWriteDataInternal+0x89\r\n02 0133f78c 5004a8c7 0000fff2 0133f7b0 00000000 WIMGAPI!ReadWriteData+0x29\r\n03 0133f7c8 5004a99e 0000fff2 00000000 00000000 WIMGAPI!ReadIntegrityInfo+0x55\r\n04 0133f7f0 5002afeb 00000000 05f153d2 00000001 WIMGAPI!LoadIntegrityInfo+0x83\r\n05 0133fa78 009611b6 05f1fd88 80000000 00000003 WIMGAPI!WIMCreateFile+0x52b\r\n06 0133fd4c 00961eae 00000004 05f15398 05f15080 ConsoleApplication1!main+0x126 [t:\\projects\\bugs\\wim\\wimfuzzer\\consoleapplication1\\consoleapplication1\\consoleapplication1.cpp @ 58] \r\n07 (Inline) -------- -------- -------- -------- ConsoleApplication1!invoke_main+0x1c [f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe_common.inl @ 64] \r\n08 0133fd94 75018654 01100000 75018630 31652e02 ConsoleApplication1!__scrt_common_main_seh+0xf8 [f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe_common.inl @ 259] \r\n09 0133fda8 76fc4a77 01100000 ff37efb2 00000000 KERNEL32!BaseThreadInitThunk+0x24\r\n0a 0133fdf0 76fc4a47 ffffffff 76fe9ecb 00000000 ntdll!__RtlUserThreadStart+0x2f\r\n0b 0133fe00 00000000 00961f24 01100000 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n\r\n0:000> dd esp+4 L3\r\n0133f704 0000004c 05f20ef0 0000fff2\r\n\r\n0:000> !heap -p -a 05f20ef0 \r\n address 05f20ef0 found in\r\n _HEAP @ 5f10000\r\n HEAP_ENTRY Size Prev Flags UserPtr UserSize - state\r\n 05f20ed8 0005 0000 [00] 05f20ef0 00010 - (busy)\r\n 7702eeff ntdll!RtlpCallInterceptRoutine+0x00000026\r\n 76fa16ee ntdll!RtlpAllocateHeapInternal+0x000002ee\r\n 76fa13ee ntdll!RtlAllocateHeap+0x0000003e\r\n 5004a989 WIMGAPI!LoadIntegrityInfo+0x0000006e\r\n 5002afeb WIMGAPI!WIMCreateFile+0x0000052b\r\n 9611b6 ConsoleApplication1!main+0x00000126\r\n 961eae ConsoleApplication1!__scrt_common_main_seh+0x000000f8\r\n 75018654 KERNEL32!BaseThreadInitThunk+0x00000024\r\n 76fc4a77 ntdll!__RtlUserThreadStart+0x0000002f\r\n 76fc4a47 ntdll!_RtlUserThreadStart+0x0000001b\r\n```\r\n\r\nThis situation leads to a fully controllable heap corruption, and can be turned into remote code execution by an attacker.\r\n\r\n### Crash Information\r\n```\r\n0:000> !analyze -v\r\n*******************************************************************************\r\n* *\r\n* Exception Analysis *\r\n* *\r\n*******************************************************************************\r\n\r\n\r\nDUMP_CLASS: 2\r\n\r\nDUMP_QUALIFIER: 0\r\n\r\nFAULTING_IP: \r\nntdll!RtlReportCriticalFailure+4b\r\n7703a83c cc int 3\r\n\r\nEXCEPTION_RECORD: (.exr -1)\r\nExceptionAddress: 7703a83c (ntdll!RtlReportCriticalFailure+0x0000004b)\r\n ExceptionCode: 80000003 (Break instruction exception)\r\n ExceptionFlags: 00000000\r\nNumberParameters: 1\r\n Parameter[0]: 00000000\r\n\r\nFAULTING_THREAD: 000037b4\r\n\r\nBUGCHECK_STR: BREAKPOINT\r\n\r\nDEFAULT_BUCKET_ID: BREAKPOINT\r\n\r\nPROCESS_NAME: ConsoleApplication1.exe\r\n\r\nERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.\r\n\r\nEXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid\r\n\r\nEXCEPTION_CODE_STR: 80000003\r\n\r\nEXCEPTION_PARAMETER1: 00000000\r\n\r\nWATSON_BKT_PROCSTAMP: 5aa26905\r\n\r\nWATSON_BKT_MODULE: ntdll.dll\r\n\r\nWATSON_BKT_MODSTAMP: 3a21d961\r\n\r\nWATSON_BKT_MODOFFSET: da83c\r\n\r\nWATSON_BKT_MODVER: 10.0.16299.248\r\n\r\nMODULE_VER_PRODUCT: Microsoft\u00ae Windows\u00ae Operating System\r\n\r\nBUILD_VERSION_STRING: 10.0.16299.15 (WinBuild.160101.0800)\r\n\r\nMODLIST_WITH_TSCHKSUM_HASH: 62c3758bb465dd1ebac418aeb1813920fdfc7979\r\n\r\nMODLIST_SHA1_HASH: 7c46ba31abc7c4fa70952fbe7df4952f821ea5db\r\n\r\nNTGLOBALFLAG: 1000\r\n\r\nAPPLICATION_VERIFIER_FLAGS: 0\r\n\r\nPRODUCT_TYPE: 1\r\n\r\nSUITE_MASK: 272\r\n\r\nDUMP_TYPE: fe\r\n\r\nANALYSIS_SESSION_HOST: DESKTOP-E4N8506\r\n\r\nANALYSIS_SESSION_TIME: 03-12-2018 16:09:47.0701\r\n\r\nANALYSIS_VERSION: 10.0.15063.468 x86fre\r\n\r\nTHREAD_ATTRIBUTES: \r\nADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]\r\n\r\nLAST_CONTROL_TRANSFER: from 77042f99 to 7703a83c\r\n\r\nTHREAD_SHA1_HASH_MOD_FUNC: 4961d5f0ba58498cd49e530ee6493c971e9fbc17\r\n\r\nTHREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3b2680676d69e292359230962719215aa4599dbf\r\n\r\nOS_LOCALE: ENU\r\n\r\nPROBLEM_CLASSES: \r\n\r\n ID: [0n300]\r\n Type: [@APPLICATION_FAULT_STRING]\r\n Class: Primary\r\n Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)\r\n BUCKET_ID\r\n Name: Omit\r\n Data: Add\r\n String: [BREAKPOINT]\r\n PID: [Unspecified]\r\n TID: [Unspecified]\r\n Frame: [0]\r\n\r\nPRIMARY_PROBLEM_CLASS: BREAKPOINT\r\n\r\nSTACK_TEXT: \r\n00000000 00000000 heap_corruption!ConsoleApplication1.exe+0x0\r\n\r\n\r\nTHREAD_SHA1_HASH_MOD: ca4e26064d24ef7512d2e94de5a93c38dbe82fe9\r\n\r\nSYMBOL_STACK_INDEX: 0\r\n\r\nSYMBOL_NAME: heap_corruption!ConsoleApplication1.exe\r\n\r\nFOLLOWUP_NAME: MachineOwner\r\n\r\nMODULE_NAME: heap_corruption\r\n\r\nDEBUG_FLR_IMAGE_TIMESTAMP: 0\r\n\r\nSTACK_COMMAND: !heap ; ** Pseudo Context ** ; kb\r\n\r\nBUCKET_ID: BREAKPOINT_heap_corruption!ConsoleApplication1.exe\r\n\r\nFAILURE_EXCEPTION_CODE: 80000003\r\n\r\nIMAGE_NAME: heap_corruption\r\n\r\nFAILURE_IMAGE_NAME: heap_corruption\r\n\r\nBUCKET_ID_IMAGE_STR: heap_corruption\r\n\r\nFAILURE_MODULE_NAME: heap_corruption\r\n\r\nBUCKET_ID_MODULE_STR: heap_corruption\r\n\r\nFAILURE_FUNCTION_NAME: ConsoleApplication1.exe\r\n\r\nBUCKET_ID_FUNCTION_STR: ConsoleApplication1.exe\r\n\r\nBUCKET_ID_OFFSET: 0\r\n\r\nBUCKET_ID_MODTIMEDATESTAMP: 0\r\n\r\nBUCKET_ID_MODCHECKSUM: 0\r\n\r\nBUCKET_ID_MODVER_STR: 0.0.0.0\r\n\r\nBUCKET_ID_PREFIX_STR: BREAKPOINT_\r\n\r\nFAILURE_PROBLEM_CLASS: BREAKPOINT\r\n\r\nFAILURE_SYMBOL_NAME: heap_corruption!ConsoleApplication1.exe\r\n\r\nFAILURE_BUCKET_ID: BREAKPOINT_80000003_heap_corruption!ConsoleApplication1.exe\r\n\r\nTARGET_TIME: 2018-03-12T15:09:50.000Z\r\n\r\nOSBUILD: 16299\r\n\r\nOSSERVICEPACK: 15\r\n\r\nSERVICEPACK_NUMBER: 0\r\n\r\nOS_REVISION: 0\r\n\r\nOSPLATFORM_TYPE: x86\r\n\r\nOSNAME: Windows 10\r\n\r\nOSEDITION: Windows 10 WinNt SingleUserTS\r\n\r\nUSER_LCID: 0\r\n\r\nOSBUILD_TIMESTAMP: 2031-10-27 03:56:14\r\n\r\nBUILDDATESTAMP_STR: 160101.0800\r\n\r\nBUILDLAB_STR: WinBuild\r\n\r\nBUILDOSVER_STR: 10.0.16299.15\r\n\r\nANALYSIS_SESSION_ELAPSED_TIME: a3b\r\n\r\nANALYSIS_SOURCE: UM\r\n\r\nFAILURE_ID_HASH_STRING: um:breakpoint_80000003_heap_corruption!consoleapplication1.exe\r\n\r\nFAILURE_ID_HASH: {b2af3544-b437-1ecc-b8b1-827e2423f9a0}\r\n\r\nFollowup: MachineOwner\r\n---------\r\n```\r\n### Timeline\r\n* 2018-03-27 - Vendor Disclosure\r\n* 2018-06-12 - Public Release", "modified": "2018-06-21T00:00:00", "published": "2018-06-21T00:00:00", "id": "SSV:97354", "href": "https://www.seebug.org/vuldb/ssvid-97354", "type": "seebug", "title": "Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability(CVE-2018-8210)", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "symantec": [{"lastseen": "2018-06-13T00:08:33", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Windows is prone to an arbitrary code-execution vulnerability. A local attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1709 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-06-12T00:00:00", "published": "2018-06-12T00:00:00", "id": "SMNTC-104407", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/104407", "title": "Microsoft Windows CVE-2018-8210 Arbitrary Code Execution Vulnerability", "type": "symantec", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2020-07-01T21:24:56", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0545\n\n## Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability\n\n##### June 12, 2018\n\n##### CVE Number\n\nCVE-2018-8210\n\n### Summary\n\nAn exploitable heap corruption exists in the LoadIntegrityInfo function of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). A crafted WIM image can lead to a heap corruption, resulting in direct code execution.\n\n### Tested Versions\n\nWIMGAPI 10.0.16299.15 (WinBuild.160101.0800)\n\n### Product URLs\n\n<https://www.microsoft.com>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122: Heap-based Buffer Overflow\n\n### Details\n\nThis vulnerability is present in the `wimgapi` DLL, which is used for performing operations on Windows Imaging Forma (WIM) files. \nWIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. There is a vulnerability in the LoadIntegrityInfo function that manifests during the parsing of the WIM file header. A specially crafted WIM file can lead to a heap corruption and remote code execution. The vulnerability triggers even on the simplest operations performed on malformed WIM file because its related to file header parsing. It triggers just after we try to obtain a WIM file handle via:\n \n \n hWim = WIMCreateFile(pszWimFile.c_str(), // Path to existing .wim file\n \tWIM_GENERIC_READ, // Access mode\n \tWIM_OPEN_EXISTING, // Open disposition\n \tdwCreateFlags,\n \t0, // Compression type is ignored for WIM_OPEN_EXISTING.\n \t&dwCreateResult);\n \n\nInternally, the `wimgapi` will try to load part of the WIM header, which is the `Integrity Table Layout`. This operation is performed in the `LoadIntegrityInfo` function:\n \n \n Line 1 \tsigned int __thiscall LoadIntegrityInfo(void *this)\n Line 2 \t{\n Line 3 \t void *v1; // edi\n Line 4 \t signed int v2; // esi\n Line 5 \t _WIMHEADER_V1_PACKED *wimHeader; // eax MAPDST\n Line 6 \t __int64 v5; // rax\n Line 7 \t SIZE_T uncompressSize; // ST10_4\n Line 8 \t HANDLE v7; // eax\n Line 9 \t LPVOID uncompressBuffer; // eax\n Line 10\t void *v9; // ebx\n Line 11\t signed int v10; // eax\n Line 12\t DWORD v11; // esi\n Line 13\t NTSTATUS v12; // ST08_4\n Line 14\t int v13; // eax\n Line 15\t HANDLE v14; // eax\n Line 16\t DWORD nNumberOfBytesToWrite; // [esp+Ch] [ebp-Ch]\n Line 17\t int v17; // [esp+10h] [ebp-8h]\n Line 18\n Line 19\t v1 = this;\n Line 20\t v2 = 1;\n Line 21\t wimHeader = (_WIMHEADER_V1_PACKED *)GetWimHeader(this);\n Line 22\t if ( v1 )\n Line 23\t {\n Line 24\t\tLODWORD(v5) = *(_DWORD *)wimHeader->rhIntegrity.size_in_wim;\n Line 25\t\tHIDWORD(v5) = *(_DWORD *)&wimHeader->rhIntegrity.size_in_wim[4];\n Line 26\t\tnNumberOfBytesToWrite = v5;\n Line 27\t\tif ( v5 )\n Line 28\t\t{\n Line 29\t\t if ( LODWORD(wimHeader->rhIntegrity.uncompressed_size) && !HIDWORD(wimHeader->rhIntegrity.uncompressed_size) )\n Line 30\t\t {\n Line 31\t\t\tuncompressSize = wimHeader->rhIntegrity.uncompressed_size;\n Line 32\t\t\tv17 = HIDWORD(v5) & 0xFFFFFF;\n Line 33\t\t\tv7 = GetProcessHeap();\n Line 34\t\t\tuncompressBuffer = HeapAlloc(v7, 8u, uncompressSize);\n Line 35\t\t\tv9 = uncompressBuffer;\n Line 36\t\t\tif ( uncompressBuffer && ReadIntegrityInfo((int)v1, (int)uncompressBuffer, nNumberOfBytesToWrite, v17) )\n Line 37\t\t\t{\n \n\nAll values in the `wimHeader` structure come from the file and are fully controlled by attacker. The most important fields in the above code in our proof of concept have the following values:\n \n \n offset 0x7C : wimHeader->rhIntegrity.size_in_wim \t\t= 0xFFF2\n offset 0x8C : wimHeader->rhIntegrity.uncompressed_size = 0x10\n \n\nAt line 34, we see a heap buffer allocation. Its size is based on the `uncompressed_size` field coming from `rhIntegrity` structure. There is no check whether `size_in_wim` is bigger than the `uncompressed_size` field which turns out to be crucial, because further inside `ReadIntegrityInfo`, the `size_in_wim` value indicates how many bytes should be read from file into the buffer allocated based on the `uncompressed_size` value.\n \n \n KERNELBASE!ReadFile:\n 73d0e120 8bff mov edi,edi\n \n 0:000> kb\n # ChildEBP RetAddr Args to Child \n 00 0133f6fc 5003a803 0000004c 05f20ef0 0000fff2 KERNELBASE!ReadFile\n 01 0133f734 5003a906 0000fff2 0133f7b0 00000000 WIMGAPI!ReadWriteDataInternal+0x89\n 02 0133f78c 5004a8c7 0000fff2 0133f7b0 00000000 WIMGAPI!ReadWriteData+0x29\n 03 0133f7c8 5004a99e 0000fff2 00000000 00000000 WIMGAPI!ReadIntegrityInfo+0x55\n 04 0133f7f0 5002afeb 00000000 05f153d2 00000001 WIMGAPI!LoadIntegrityInfo+0x83\n 05 0133fa78 009611b6 05f1fd88 80000000 00000003 WIMGAPI!WIMCreateFile+0x52b\n 06 0133fd4c 00961eae 00000004 05f15398 05f15080 ConsoleApplication1!main+0x126 [t:\\projects\\bugs\\wim\\wimfuzzer\\consoleapplication1\\consoleapplication1\\consoleapplication1.cpp @ 58] \n 07 (Inline) -------- -------- -------- -------- ConsoleApplication1!invoke_main+0x1c [f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe_common.inl @ 64] \n 08 0133fd94 75018654 01100000 75018630 31652e02 ConsoleApplication1!__scrt_common_main_seh+0xf8 [f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe_common.inl @ 259] \n 09 0133fda8 76fc4a77 01100000 ff37efb2 00000000 KERNEL32!BaseThreadInitThunk+0x24\n 0a 0133fdf0 76fc4a47 ffffffff 76fe9ecb 00000000 ntdll!__RtlUserThreadStart+0x2f\n 0b 0133fe00 00000000 00961f24 01100000 00000000 ntdll!_RtlUserThreadStart+0x1b\n \n 0:000> dd esp+4 L3\n 0133f704 0000004c 05f20ef0 0000fff2\n \n 0:000> !heap -p -a 05f20ef0 \n \taddress 05f20ef0 found in\n \t_HEAP @ 5f10000\n \t HEAP_ENTRY Size Prev Flags UserPtr UserSize - state\n \t\t05f20ed8 0005 0000 [00] 05f20ef0 00010 - (busy)\n \t\t7702eeff ntdll!RtlpCallInterceptRoutine+0x00000026\n \t\t76fa16ee ntdll!RtlpAllocateHeapInternal+0x000002ee\n \t\t76fa13ee ntdll!RtlAllocateHeap+0x0000003e\n \t\t5004a989 WIMGAPI!LoadIntegrityInfo+0x0000006e\n \t\t5002afeb WIMGAPI!WIMCreateFile+0x0000052b\n \t\t9611b6 ConsoleApplication1!main+0x00000126\n \t\t961eae ConsoleApplication1!__scrt_common_main_seh+0x000000f8\n \t\t75018654 KERNEL32!BaseThreadInitThunk+0x00000024\n \t\t76fc4a77 ntdll!__RtlUserThreadStart+0x0000002f\n \t\t76fc4a47 ntdll!_RtlUserThreadStart+0x0000001b\n \n\nThis situation leads to a fully controllable heap corruption, and can be turned into remote code execution by an attacker.\n\n### Crash Information\n \n \n 0:000> !analyze -v\n *******************************************************************************\n * *\n * Exception Analysis *\n * *\n *******************************************************************************\n \n \n DUMP_CLASS: 2\n \n DUMP_QUALIFIER: 0\n \n FAULTING_IP: \n ntdll!RtlReportCriticalFailure+4b\n 7703a83c cc int 3\n \n EXCEPTION_RECORD: (.exr -1)\n ExceptionAddress: 7703a83c (ntdll!RtlReportCriticalFailure+0x0000004b)\n ExceptionCode: 80000003 (Break instruction exception)\n ExceptionFlags: 00000000\n NumberParameters: 1\n Parameter[0]: 00000000\n \n FAULTING_THREAD: 000037b4\n \n BUGCHECK_STR: BREAKPOINT\n \n DEFAULT_BUCKET_ID: BREAKPOINT\n \n PROCESS_NAME: ConsoleApplication1.exe\n \n ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.\n \n EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid\n \n EXCEPTION_CODE_STR: 80000003\n \n EXCEPTION_PARAMETER1: 00000000\n \n WATSON_BKT_PROCSTAMP: 5aa26905\n \n WATSON_BKT_MODULE: ntdll.dll\n \n WATSON_BKT_MODSTAMP: 3a21d961\n \n WATSON_BKT_MODOFFSET: da83c\n \n WATSON_BKT_MODVER: 10.0.16299.248\n \n MODULE_VER_PRODUCT: Microsoft\u00ae Windows\u00ae Operating System\n \n BUILD_VERSION_STRING: 10.0.16299.15 (WinBuild.160101.0800)\n \n MODLIST_WITH_TSCHKSUM_HASH: 62c3758bb465dd1ebac418aeb1813920fdfc7979\n \n MODLIST_SHA1_HASH: 7c46ba31abc7c4fa70952fbe7df4952f821ea5db\n \n NTGLOBALFLAG: 1000\n \n APPLICATION_VERIFIER_FLAGS: 0\n \n PRODUCT_TYPE: 1\n \n SUITE_MASK: 272\n \n DUMP_TYPE: fe\n \n ANALYSIS_SESSION_HOST: DESKTOP-E4N8506\n \n ANALYSIS_SESSION_TIME: 03-12-2018 16:09:47.0701\n \n ANALYSIS_VERSION: 10.0.15063.468 x86fre\n \n THREAD_ATTRIBUTES: \n ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]\n \n LAST_CONTROL_TRANSFER: from 77042f99 to 7703a83c\n \n THREAD_SHA1_HASH_MOD_FUNC: 4961d5f0ba58498cd49e530ee6493c971e9fbc17\n \n THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3b2680676d69e292359230962719215aa4599dbf\n \n OS_LOCALE: ENU\n \n PROBLEM_CLASSES: \n \n \tID: [0n300]\n \tType: [@APPLICATION_FAULT_STRING]\n \tClass: Primary\n \tScope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)\n \t\t\tBUCKET_ID\n \tName: Omit\n \tData: Add\n \t\t\tString: [BREAKPOINT]\n \tPID: [Unspecified]\n \tTID: [Unspecified]\n \tFrame: [0]\n \n PRIMARY_PROBLEM_CLASS: BREAKPOINT\n \n STACK_TEXT: \n 00000000 00000000 heap_corruption!ConsoleApplication1.exe+0x0\n \n \n THREAD_SHA1_HASH_MOD: ca4e26064d24ef7512d2e94de5a93c38dbe82fe9\n \n SYMBOL_STACK_INDEX: 0\n \n SYMBOL_NAME: heap_corruption!ConsoleApplication1.exe\n \n FOLLOWUP_NAME: MachineOwner\n \n MODULE_NAME: heap_corruption\n \n DEBUG_FLR_IMAGE_TIMESTAMP: 0\n \n STACK_COMMAND: !heap ; ** Pseudo Context ** ; kb\n \n BUCKET_ID: BREAKPOINT_heap_corruption!ConsoleApplication1.exe\n \n FAILURE_EXCEPTION_CODE: 80000003\n \n IMAGE_NAME: heap_corruption\n \n FAILURE_IMAGE_NAME: heap_corruption\n \n BUCKET_ID_IMAGE_STR: heap_corruption\n \n FAILURE_MODULE_NAME: heap_corruption\n \n BUCKET_ID_MODULE_STR: heap_corruption\n \n FAILURE_FUNCTION_NAME: ConsoleApplication1.exe\n \n BUCKET_ID_FUNCTION_STR: ConsoleApplication1.exe\n \n BUCKET_ID_OFFSET: 0\n \n BUCKET_ID_MODTIMEDATESTAMP: 0\n \n BUCKET_ID_MODCHECKSUM: 0\n \n BUCKET_ID_MODVER_STR: 0.0.0.0\n \n BUCKET_ID_PREFIX_STR: BREAKPOINT_\n \n FAILURE_PROBLEM_CLASS: BREAKPOINT\n \n FAILURE_SYMBOL_NAME: heap_corruption!ConsoleApplication1.exe\n \n FAILURE_BUCKET_ID: BREAKPOINT_80000003_heap_corruption!ConsoleApplication1.exe\n \n TARGET_TIME: 2018-03-12T15:09:50.000Z\n \n OSBUILD: 16299\n \n OSSERVICEPACK: 15\n \n SERVICEPACK_NUMBER: 0\n \n OS_REVISION: 0\n \n OSPLATFORM_TYPE: x86\n \n OSNAME: Windows 10\n \n OSEDITION: Windows 10 WinNt SingleUserTS\n \n USER_LCID: 0\n \n OSBUILD_TIMESTAMP: 2031-10-27 03:56:14\n \n BUILDDATESTAMP_STR: 160101.0800\n \n BUILDLAB_STR: WinBuild\n \n BUILDOSVER_STR: 10.0.16299.15\n \n ANALYSIS_SESSION_ELAPSED_TIME: a3b\n \n ANALYSIS_SOURCE: UM\n \n FAILURE_ID_HASH_STRING: um:breakpoint_80000003_heap_corruption!consoleapplication1.exe\n \n FAILURE_ID_HASH: {b2af3544-b437-1ecc-b8b1-827e2423f9a0}\n \n Followup: MachineOwner\n ---------\n \n\n### Timeline\n\n2018-03-27 - Vendor Disclosure \n2018-06-12 - Public Release\n\n##### Credit\n\nDiscovered by Marcin 'Icewall' Noga of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0523\n\nPrevious Report\n\nTALOS-2018-0535\n", "modified": "2018-06-12T00:00:00", "published": "2018-06-12T00:00:00", "id": "TALOS-2018-0545", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0545", "title": "Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability", "type": "talos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-08T13:29:05", "bulletinFamily": "scanner", "description": "This host is missing an important security\n update according to Microsoft KB4284815", "modified": "2019-12-20T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813532", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813532", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284815)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284815)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813532\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-0978\", \"CVE-2018-1036\", \"CVE-2018-1040\", \"CVE-2018-8169\",\n \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8210\", \"CVE-2018-8225\",\n \"CVE-2018-8249\", \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:16:31 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284815)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4284815\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - When NTFS improperly checks access.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - In Windows Domain Name System (DNS) DNSAPI.\n\n - In the way that the Windows Code Integrity Module performs hashing.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to gain elevated privileges, execute arbitrary code, install programs, view,\n change, or delete data or create new accounts with full user rights and create\n a denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284815\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"winload.efi\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19035\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\winload.efi\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19035\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:10", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4284860", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813529", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813529", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284860)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284860)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813529\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0978\", \"CVE-2018-1036\", \"CVE-2018-1040\", \"CVE-2018-8169\",\n \"CVE-2018-8201\", \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8209\",\n \"CVE-2018-8210\", \"CVE-2018-8212\", \"CVE-2018-8213\", \"CVE-2018-8215\",\n \"CVE-2018-8216\", \"CVE-2018-8217\", \"CVE-2018-8221\", \"CVE-2018-8225\",\n \"CVE-2018-8226\", \"CVE-2018-8229\", \"CVE-2018-8231\", \"CVE-2018-8234\",\n \"CVE-2018-8235\", \"CVE-2018-8236\", \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:08:36 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284860)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284860\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284860\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17888\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17888\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:07", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4284819", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813526", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813526", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284819)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284819)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813526\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0871\", \"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\",\n \"CVE-2018-1040\", \"CVE-2018-8111\", \"CVE-2018-8113\", \"CVE-2018-8121\",\n \"CVE-2018-8140\", \"CVE-2018-8169\", \"CVE-2018-8175\", \"CVE-2018-8201\",\n \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8208\", \"CVE-2018-8209\",\n \"CVE-2018-8210\", \"CVE-2018-8211\", \"CVE-2018-8212\", \"CVE-2018-8213\",\n \"CVE-2018-8214\", \"CVE-2018-8215\", \"CVE-2018-8218\", \"CVE-2018-8219\",\n \"CVE-2018-8221\", \"CVE-2018-8225\", \"CVE-2018-8226\", \"CVE-2018-8227\",\n \"CVE-2018-8229\", \"CVE-2018-8231\", \"CVE-2018-8234\", \"CVE-2018-8235\",\n \"CVE-2018-8236\", \"CVE-2018-8239\", \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:05:09 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284819)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284819\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - When Cortana retrieves data from user input services without consideration for\n status.\n\n - When the Windows kernel improperly initializes objects in memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When HTTP Protocol Stack (Http.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - When Windows NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n\n - When Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - In Internet Explorer that allows for bypassing Mark of the Web Tagging (MOTW).\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - When Edge improperly marks files.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1709 for x32/x64-bit Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284819\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.491\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.491\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:17", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4284874", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813527", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813527", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284874)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284874)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813527\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0871\", \"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\",\n \"CVE-2018-1040\", \"CVE-2018-8113\", \"CVE-2018-8121\", \"CVE-2018-8169\",\n \"CVE-2018-8201\", \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8208\",\n \"CVE-2018-8209\", \"CVE-2018-8210\", \"CVE-2018-8211\", \"CVE-2018-8212\",\n \"CVE-2018-8213\", \"CVE-2018-8214\", \"CVE-2018-8215\", \"CVE-2018-8216\",\n \"CVE-2018-8217\", \"CVE-2018-8219\", \"CVE-2018-8221\", \"CVE-2018-8225\",\n \"CVE-2018-8226\", \"CVE-2018-8227\", \"CVE-2018-8229\", \"CVE-2018-8231\",\n \"CVE-2018-8234\", \"CVE-2018-8235\", \"CVE-2018-8236\", \"CVE-2018-8239\",\n \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:06:23 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284874)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284874\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - When the Windows kernel improperly initializes objects in memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - In Internet Explorer that allows for bypassing Mark of the Web Tagging (MOTW).\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - When Edge improperly marks files.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights, create a denial of service\n condition and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284874\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1154\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1154\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:05", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4284835", "modified": "2020-06-04T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813530", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284835)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284835)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813530\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-0871\", \"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\",\n \"CVE-2018-1040\", \"CVE-2018-8110\", \"CVE-2018-8113\", \"CVE-2018-8121\",\n \"CVE-2018-8140\", \"CVE-2018-8169\", \"CVE-2018-8175\", \"CVE-2018-8201\",\n \"CVE-2018-8205\", \"CVE-2018-8207\", \"CVE-2018-8208\", \"CVE-2018-8210\",\n \"CVE-2018-8211\", \"CVE-2018-8212\", \"CVE-2018-8213\", \"CVE-2018-8214\",\n \"CVE-2018-8215\", \"CVE-2018-8219\", \"CVE-2018-8221\", \"CVE-2018-8225\",\n \"CVE-2018-8226\", \"CVE-2018-8227\", \"CVE-2018-8229\", \"CVE-2018-8231\",\n \"CVE-2018-8233\", \"CVE-2018-8234\", \"CVE-2018-8235\", \"CVE-2018-8236\",\n \"CVE-2018-8239\", \"CVE-2018-8251\", \"CVE-2018-8267\", \"CVE-2018-1003\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:09:57 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284835)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284835\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Cortana retrieves data from user input services without consideration for\n status.\n\n - When the Windows kernel improperly initializes objects in memory.\n\n - In Windows when the Win32k component fails to properly handle objects in\n memory.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - When Windows NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n\n - In Internet Explorer that allows for bypassing Mark of the Web Tagging (MOTW).\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - When Edge improperly marks files.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1803 x32/x64-bit Systems.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284835\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.111\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.111\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:28:59", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4284880", "modified": "2019-12-20T00:00:00", "published": "2018-06-13T00:00:00", "id": "OPENVAS:1361412562310813528", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813528", "title": "Microsoft Windows Multiple Vulnerabilities (KB4284880)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4284880)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813528\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2018-0978\", \"CVE-2018-0982\", \"CVE-2018-1036\", \"CVE-2018-1040\",\n \"CVE-2018-8169\", \"CVE-2018-8201\", \"CVE-2018-8205\", \"CVE-2018-8207\",\n \"CVE-2018-8208\", \"CVE-2018-8209\", \"CVE-2018-8210\", \"CVE-2018-8211\",\n \"CVE-2018-8212\", \"CVE-2018-8213\", \"CVE-2018-8214\", \"CVE-2018-8215\",\n \"CVE-2018-8216\", \"CVE-2018-8217\", \"CVE-2018-8219\", \"CVE-2018-8221\",\n \"CVE-2018-8225\", \"CVE-2018-8226\", \"CVE-2018-8229\", \"CVE-2018-8231\",\n \"CVE-2018-8234\", \"CVE-2018-8235\", \"CVE-2018-8236\", \"CVE-2018-8239\",\n \"CVE-2018-8251\", \"CVE-2018-8267\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-13 09:07:28 +0530 (Wed, 13 Jun 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4284880)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4284880\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When the Windows kernel improperly handles objects in memory.\n\n - When Windows improperly handles objects in memory.\n\n - When the (Human Interface Device) HID Parser Library driver improperly handles\n objects in memory.\n\n - In Device Guard that could allow an attacker to inject malicious code into a\n Windows PowerShell session.\n\n - In Windows when Desktop Bridge does not properly manage the virtual registry.\n\n - When Windows allows a normal user to access the Wireless LAN profile of an\n administrative user.\n\n - In the way that the Windows Code Integrity Module performs hashing.\n\n - When Microsoft Edge improperly handles requests of different origins.\n\n - In the way that the Windows Kernel API enforces permissions.\n\n - When Microsoft Edge improperly handles objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\n\n - When Windows Media Foundation improperly handles objects in memory.\n\n - When the Windows GDI component improperly discloses the contents of its\n memory.\n\n - When Windows Hyper-V instruction emulation fails to properly enforce privilege\n levels.\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When NTFS improperly checks access.\n\n - In the way that the Chakra scripting engine handles objects in memory in\n Microsoft Edge.\n\n - In the way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - In Windows Domain Name System (DNS) DNSAPI.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain information to further compromise the user's system, run processes in\n an elevated context, inject code into a trusted PowerShell process, execute\n arbitrary code, read privileged data, force the browser to send restricted data,\n interject cross-process communication, install programs, view, change, or delete\n data or create new accounts with full user rights and create a denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4284880\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2311\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2311\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284878\nor cumulative update 4284815. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978,\n CVE-2018-8249)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284815.NASL", "href": "https://www.tenable.com/plugins/nessus/110484", "published": "2018-06-12T00:00:00", "title": "KB4284878: Windows 8.1 and Windows Server 2012 R2 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110484);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0978\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8169\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8210\",\n \"CVE-2018-8225\",\n \"CVE-2018-8249\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104356,\n 104360,\n 104363,\n 104364,\n 104379,\n 104389,\n 104391,\n 104395,\n 104398,\n 104404,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284878\");\n script_xref(name:\"MSKB\", value:\"4284815\");\n script_xref(name:\"MSFT\", value:\"MS18-4284878\");\n script_xref(name:\"MSFT\", value:\"MS18-4284815\");\n\n script_name(english:\"KB4284878: Windows 8.1 and Windows Server 2012 R2 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284878\nor cumulative update 4284815. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978,\n CVE-2018-8249)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\");\n # https://support.microsoft.com/en-us/help/4284878/windows-81-update-kb4284878\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?224e0ffb\");\n # https://support.microsoft.com/en-us/help/4284815/windows-81-update-kb4284815\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43458adc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4284878 or Cumulative Update KB4284815.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8225\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284878', '4284815');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284878, 4284815])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284846\nor cumulative update 4284855. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284855.NASL", "href": "https://www.tenable.com/plugins/nessus/110488", "published": "2018-06-12T00:00:00", "title": "KB4284846: Windows Server 2012 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110488);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0978\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8169\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8210\",\n \"CVE-2018-8225\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104356,\n 104360,\n 104364,\n 104379,\n 104389,\n 104391,\n 104395,\n 104398,\n 104404,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284846\");\n script_xref(name:\"MSKB\", value:\"4284855\");\n script_xref(name:\"MSFT\", value:\"MS18-4284846\");\n script_xref(name:\"MSFT\", value:\"MS18-4284855\");\n\n script_name(english:\"KB4284846: Windows Server 2012 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284846\nor cumulative update 4284855. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\");\n # https://support.microsoft.com/en-us/help/4284846/windows-server-2012-update-kb4284846\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eceb7954\");\n # https://support.microsoft.com/en-us/help/4284855/windows-server-2012-update-kb4284855\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a2bb9819\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4284846 or Cumulative Update KB4284855.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8225\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284846', '4284855');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284846, 4284855])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284860.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284860.NASL", "href": "https://www.tenable.com/plugins/nessus/110489", "published": "2018-06-12T00:00:00", "title": "KB4284860: Windows 10 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110489);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0978\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8169\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8215\",\n \"CVE-2018-8216\",\n \"CVE-2018-8217\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104328,\n 104331,\n 104333,\n 104334,\n 104336,\n 104337,\n 104338,\n 104340,\n 104343,\n 104356,\n 104360,\n 104361,\n 104364,\n 104369,\n 104373,\n 104379,\n 104389,\n 104391,\n 104393,\n 104395,\n 104398,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284860\");\n script_xref(name:\"MSFT\", value:\"MS18-4284860\");\n\n script_name(english:\"KB4284860: Windows 10 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284860.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\");\n # https://support.microsoft.com/en-us/help/4284860/windows-10-update-kb4284860\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?686a6741\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4284860.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284860');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284860])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284880.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284880.NASL", "href": "https://www.tenable.com/plugins/nessus/110491", "published": "2018-06-12T00:00:00", "title": "KB4284880: Windows 10 Version 1607 and Windows Server 2016 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110491);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8169\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8216\",\n \"CVE-2018-8217\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104328,\n 104331,\n 104333,\n 104334,\n 104336,\n 104337,\n 104338,\n 104340,\n 104343,\n 104353,\n 104356,\n 104360,\n 104361,\n 104364,\n 104369,\n 104373,\n 104379,\n 104382,\n 104389,\n 104391,\n 104392,\n 104393,\n 104394,\n 104395,\n 104398,\n 104401,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284880\");\n script_xref(name:\"MSFT\", value:\"MS18-4284880\");\n\n script_name(english:\"KB4284880: Windows 10 Version 1607 and Windows Server 2016 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284880.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8229)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8212, CVE-2018-8215,\n CVE-2018-8216, CVE-2018-8217, CVE-2018-8221)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284880/windows-10-update-kb4284880\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3dae2364\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4284880.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284880');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284880])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284819.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8218)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8111,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284819.NASL", "href": "https://www.tenable.com/plugins/nessus/110485", "published": "2018-06-12T00:00:00", "title": "KB4284819: Windows 10 Version 1709 and Windows Server Version 1709 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110485);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/04/05 23:25:09\");\n\n script_cve_id(\n \"CVE-2018-0871\",\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8111\",\n \"CVE-2018-8113\",\n \"CVE-2018-8121\",\n \"CVE-2018-8140\",\n \"CVE-2018-8169\",\n \"CVE-2018-8175\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8211\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8218\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8227\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104326,\n 104328,\n 104331,\n 104333,\n 104335,\n 104336,\n 104338,\n 104339,\n 104340,\n 104343,\n 104353,\n 104354,\n 104356,\n 104359,\n 104360,\n 104361,\n 104364,\n 104365,\n 104368,\n 104369,\n 104373,\n 104379,\n 104380,\n 104382,\n 104389,\n 104391,\n 104392,\n 104393,\n 104394,\n 104395,\n 104398,\n 104401,\n 104402,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284819\");\n script_xref(name:\"MSFT\", value:\"MS18-4284819\");\n\n script_name(english:\"KB4284819: Windows 10 Version 1709 and Windows Server Version 1709 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284819.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2018-8218)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8111,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284819/windows-10-update-kb4284819\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?21a2fb0a\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4284819.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284819');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284819])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284874.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8216, CVE-2018-8217,\n CVE-2018-8221)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284874.NASL", "href": "https://www.tenable.com/plugins/nessus/110490", "published": "2018-06-12T00:00:00", "title": "KB4284874: Windows 10 Version 1703 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110490);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0871\",\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8113\",\n \"CVE-2018-8121\",\n \"CVE-2018-8169\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8209\",\n \"CVE-2018-8210\",\n \"CVE-2018-8211\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8216\",\n \"CVE-2018-8217\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8227\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104326,\n 104328,\n 104331,\n 104333,\n 104334,\n 104336,\n 104337,\n 104338,\n 104339,\n 104340,\n 104343,\n 104353,\n 104356,\n 104360,\n 104361,\n 104364,\n 104365,\n 104368,\n 104369,\n 104373,\n 104379,\n 104380,\n 104382,\n 104389,\n 104391,\n 104392,\n 104393,\n 104394,\n 104395,\n 104398,\n 104401,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284874\");\n script_xref(name:\"MSFT\", value:\"MS18-4284874\");\n\n script_name(english:\"KB4284874: Windows 10 Version 1703 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284874.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8216, CVE-2018-8217,\n CVE-2018-8221)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - An information disclosure vulnerability exists when\n Windows allows a normal user to access the Wireless LAN\n profile of an administrative user. An authenticated\n attacker who successfully exploited the vulnerability\n could access the Wireless LAN profile of an\n administrative user, including passwords for wireless\n networks. An attacker would need to log on to the\n affected system and run a specific command. The security\n update addresses the vulnerability by changing the way\n that Windows enforces access permissions to Wireless LAN\n profiles. (CVE-2018-8209)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284874/windows-10-update-kb4284874\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19db0c08\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4284874.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284874');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284874])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:24:37", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4284835.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8233)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8110,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS18_JUN_4284835.NASL", "href": "https://www.tenable.com/plugins/nessus/110487", "published": "2018-06-12T00:00:00", "title": "KB4284835: Windows 10 Version 1803 and Windows Server Version 1803 June 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110487);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/04/05 23:25:09\");\n\n script_cve_id(\n \"CVE-2018-0871\",\n \"CVE-2018-0978\",\n \"CVE-2018-0982\",\n \"CVE-2018-1036\",\n \"CVE-2018-1040\",\n \"CVE-2018-8110\",\n \"CVE-2018-8113\",\n \"CVE-2018-8121\",\n \"CVE-2018-8140\",\n \"CVE-2018-8169\",\n \"CVE-2018-8175\",\n \"CVE-2018-8201\",\n \"CVE-2018-8205\",\n \"CVE-2018-8207\",\n \"CVE-2018-8208\",\n \"CVE-2018-8210\",\n \"CVE-2018-8211\",\n \"CVE-2018-8212\",\n \"CVE-2018-8213\",\n \"CVE-2018-8214\",\n \"CVE-2018-8215\",\n \"CVE-2018-8219\",\n \"CVE-2018-8221\",\n \"CVE-2018-8225\",\n \"CVE-2018-8226\",\n \"CVE-2018-8227\",\n \"CVE-2018-8229\",\n \"CVE-2018-8231\",\n \"CVE-2018-8233\",\n \"CVE-2018-8234\",\n \"CVE-2018-8235\",\n \"CVE-2018-8236\",\n \"CVE-2018-8239\",\n \"CVE-2018-8251\",\n \"CVE-2018-8267\"\n );\n script_bugtraq_id(\n 104326,\n 104328,\n 104330,\n 104331,\n 104333,\n 104336,\n 104338,\n 104339,\n 104340,\n 104343,\n 104353,\n 104354,\n 104356,\n 104359,\n 104360,\n 104361,\n 104364,\n 104365,\n 104368,\n 104369,\n 104373,\n 104379,\n 104380,\n 104382,\n 104383,\n 104389,\n 104391,\n 104392,\n 104394,\n 104395,\n 104398,\n 104401,\n 104404,\n 104406,\n 104407\n );\n script_xref(name:\"MSKB\", value:\"4284835\");\n script_xref(name:\"MSFT\", value:\"MS18-4284835\");\n\n script_name(english:\"KB4284835: Windows 10 Version 1803 and Windows Server Version 1803 June 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4284835.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when the\n (Human Interface Device) HID Parser Library driver\n improperly handles objects in memory. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2018-8169)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2018-8251)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8205)\n\n - An denial of service vulnerability exists when Windows\n NT WEBDAV Minirdr attempts to query a WEBDAV directory.\n An attacker who successfully exploited the vulnerability\n could cause a denial of service. (CVE-2018-8175)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2018-8239)\n\n - A remote code execution vulnerability exists when HTTP\n Protocol Stack (Http.sys) improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code and take\n control of the affected system. (CVE-2018-8231)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2018-8121)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212,\n CVE-2018-8215, CVE-2018-8221)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8234)\n\n - An Elevation of Privilege vulnerability exists when\n Cortana retrieves data from user input services without\n consideration for status. An attacker who successfully\n exploited the vulnerability could execute commands with\n elevated permissions. (CVE-2018-8140)\n\n - A denial of service vulnerability exists in the HTTP 2.0\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP 2.0 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2018-8226)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8267)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8207)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8233)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-1036)\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the Local System\n Account. (CVE-2018-8225)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8235)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8227, CVE-2018-8229)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-0978)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V instruction emulation fails to properly\n enforce privilege levels. An attacker who successfully\n exploited this vulnerability could gain elevated\n privileges on a target guest operating system. The host\n operating system is not vulnerable to this attack. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, the vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerability by correcting how privileges are\n enforced by Windows Hyper-V instruction emulation.\n (CVE-2018-8219)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8110,\n CVE-2018-8236)\n\n - An information disclosure vulnerability exists when Edge\n improperly marks files. An attacker who successfully\n exploited this vulnerability could exfiltrate file\n contents from disk. For an attack to be successful, an\n attacker must persuade a user to open a malicious\n website. The security update addresses the vulnerability\n by properly marking files. (CVE-2018-0871)\n\n - A denial of service vulnerability exists in the way that\n the Windows Code Integrity Module performs hashing. An\n attacker who successfully exploited the vulnerability\n could cause a system to stop responding. Note that the\n denial of service condition would not allow an attacker\n to execute code or to elevate user privileges. However,\n the denial of service condition could prevent authorized\n users from using system resources. An attacker could\n host a specially crafted file in a website or SMB share.\n The attacker could also take advantage of compromised\n websites, or websites that accept or host user-provided\n content or advertisements, by adding specially crafted\n content that could exploit the vulnerability. However,\n in all cases an attacker would have no way to force\n users to view the attacker-controlled content. Instead,\n an attacker would have to convince users to take action,\n typically via an enticement in email or instant message,\n or by getting them to open an email attachment. The\n security update addresses the vulnerability by modifying\n how the Code Integrity Module performs hashing.\n (CVE-2018-1040)\n\n - A security feature bypass vulnerability exists in\n Internet Explorer that allows for bypassing Mark of the\n Web Tagging (MOTW). Failing to set the MOTW means that a\n large number of Microsoft security technologies are\n bypassed. (CVE-2018-8113)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2018-8210, CVE-2018-8213)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-0982)\n\n - An elevation of privilege vulnerability exists in\n Windows when Desktop Bridge does not properly manage the\n virtual registry. An attacker who successfully exploited\n this vulnerability could run arbitrary code in kernel\n mode. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2018-8208, CVE-2018-8214)\");\n # https://support.microsoft.com/en-us/help/4284835/windows-10-update-kb4284835\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7614a17f\");\n script_set_attribute(attribute:\"solution\", value:\n \"Apply Cumulative Update KB4284835.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8231\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-06\";\nkbs = make_list('4284835');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"06_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4284835])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:27", "bulletinFamily": "info", "description": "### *Detect date*:\n06/12/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, bypass security restrictions, cause denial of service or gain privileges.\n\n### *Affected products*:\nMicrosoft Surface Book 2 \nMicrosoft Surface Laptop \nMicrosoft Surface Studio \nSurface Pro Model 1796 \nSurface Pro with Advanced LTE Model 1807 \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1709 for 64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation) \nWindows Server, version 1803 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8140>) \n[CVE-2018-8226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8226>) \n[CVE-2018-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1040>) \n[CVE-2018-8212](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8212>) \n[CVE-2018-8201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8201>) \n[CVE-2018-8205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8205>) \n[CVE-2018-8221](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8221>) \n[CVE-2018-8213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8213>) \n[CVE-2018-8219](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8219>) \n[CVE-2018-8217](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8217>) \n[CVE-2018-8210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>) \n[CVE-2018-8233](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8233>) \n[CVE-2018-8169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8169>) \n[CVE-2018-8239](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8239>) \n[CVE-2018-8224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8224>) \n[CVE-2018-1036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1036>) \n[CVE-2018-8121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8121>) \n[CVE-2018-8231](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8231>) \n[CVE-2018-8207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8207>) \n[CVE-2018-8251](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8251>) \n[CVE-2018-0982](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0982>) \n[CVE-2018-8215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8215>) \n[CVE-2018-8211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8211>) \n[CVE-2018-8214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8214>) \n[CVE-2018-8218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8218>) \n[CVE-2018-8225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8225>) \n[CVE-2018-8209](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8209>) \n[CVE-2018-8208](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8208>) \n[CVE-2018-8175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8175>) \n[CVE-2018-8216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8216>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8140](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8140>)6.8Critical \n[CVE-2018-8226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8226>)7.5Critical \n[CVE-2018-1040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1040>)5.4Critical \n[CVE-2018-8212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8212>)5.3Critical \n[CVE-2018-8201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8201>)4.5Critical \n[CVE-2018-8205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8205>)4.9Critical \n[CVE-2018-8221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8221>)5.3Critical \n[CVE-2018-8213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8213>)7.8Critical \n[CVE-2018-8219](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8219>)8.8Critical \n[CVE-2018-8217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8217>)5.3Critical \n[CVE-2018-8210](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8210>)7.2Critical \n[CVE-2018-8233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8233>)7.2Critical \n[CVE-2018-8169](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8169>)6.9Critical \n[CVE-2018-8239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8239>)5.5Critical \n[CVE-2018-8224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8224>)7.0Critical \n[CVE-2018-1036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1036>)6.9Critical \n[CVE-2018-8121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8121>)4.7Critical \n[CVE-2018-8231](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8231>)8.1Critical \n[CVE-2018-8207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8207>)1.9Critical \n[CVE-2018-8251](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8251>)7.6Critical \n[CVE-2018-0982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0982>)7.0Critical \n[CVE-2018-8215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8215>)5.3Critical \n[CVE-2018-8211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8211>)5.3Critical \n[CVE-2018-8214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8214>)6.9Critical \n[CVE-2018-8218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8218>)7.7Critical \n[CVE-2018-8225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8225>)9.3Critical \n[CVE-2018-8209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8209>)8.0Critical \n[CVE-2018-8208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8208>)6.9Critical \n[CVE-2018-8175](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8175>)6.5Critical \n[CVE-2018-8216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8216>)5.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4284867](<http://support.microsoft.com/kb/4284867>) \n[4284860](<http://support.microsoft.com/kb/4284860>) \n[4284874](<http://support.microsoft.com/kb/4284874>) \n[4284826](<http://support.microsoft.com/kb/4284826>) \n[4284835](<http://support.microsoft.com/kb/4284835>) \n[4284880](<http://support.microsoft.com/kb/4284880>) \n[4284819](<http://support.microsoft.com/kb/4284819>) \n[4284855](<http://support.microsoft.com/kb/4284855>) \n[4284815](<http://support.microsoft.com/kb/4284815>) \n[4284878](<http://support.microsoft.com/kb/4284878>) \n[4230467](<http://support.microsoft.com/kb/4230467>) \n[4234459](<http://support.microsoft.com/kb/4234459>) \n[4284846](<http://support.microsoft.com/kb/4284846>) \n[4294413](<http://support.microsoft.com/kb/4294413>)", "modified": "2019-03-07T00:00:00", "published": "2018-06-12T00:00:00", "id": "KLA11266", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11266", "title": "\r KLA11266Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2018-07-10T22:29:40", "bulletinFamily": "blog", "description": "## Executive Summary\n\n \nMicrosoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated \"critical,\" and 39 rated \"important.\" These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more. \n \nIn addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin. \n\n\n### Critical vulnerabilities\n\n \nThis month, Microsoft is addressing 11 vulnerabilities that are rated \"critical.\" Talos believes these three vulnerabilities in particular are notable and require prompt attention. \n \n[CVE-2018-8225 - Windows DNSAPI Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8225>) \n \nA remote code vulnerability is present within Windows DNS. This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems. An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability. \n \n[CVE-2018-8229 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229>) \n \nA remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements. \n \n[CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267>) \n \nA remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to scripting engine not properly handling objects in memory in Internet Explorer. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability was publicly disclosed prior to a patch being made available. \n \nOther vulnerabilities deemed \"critical\" are listed below: \n\n\n * [CVE-2018-8110 - Microsoft Edge Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8110>)\n * [CVE-2018-8111 - Microsoft Edge Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8111>)\n * [CVE-2018-8213 - Windows Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8213>)\n * [CVE-2018-8231 - HTTP Protocol Stack Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8231>)\n * [CVE-2018-8236 - Microsoft Edge Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8236>)\n * [CVE-2018-8243 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8243>)\n * [CVE-2018-8249 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8249>)\n * [CVE-2018-8251 - Media Foundation Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8251>)\n * [CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267>)\n\n### Important vulnerabilities\n\n \nThis month, Microsoft is addressing 39 vulnerabilities that are rated \"important.\" One of these vulnerabilities is TALOS-2018-0545, which was assigned [CVE-2018-8210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>). This vulnerability is a Windows remote code execution flaw that was discovered by Marcin Noga of Cisco Talos. Additional information related to this vulnerability can be found in the advisory report [here](<https://www.talosintelligence.com/reports/TALOS-2018-0545>). \n \nAdditionally, Talos believes the following vulnerability is notable and requires prompt attention. \n \n[CVE-2018-8227 - Chakra Scripting Engine Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8227>) \n \nA remote code execution vulnerability is present within the Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements. \n \nOther vulnerabilities deemed \"important\" are listed below: \n\n\n * [CVE-2018-0871 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0871>)\n * [CVE-2018-0978 - Internet Explorer Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0978>)\n * [CVE-2018-0982 - Windows Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0982>)\n * [CVE-2018-1036 - NTFS Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1036>)\n * [CVE-2018-1040 - Windows Code Integrity Module Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1040>)\n * [CVE-2018-8113 - Internet Explorer Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8113>)\n * [CVE-2018-8121 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8121>)\n * [CVE-2018-8140 - Cortana Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8140>)\n * [CVE-2018-8169 - HIDParser Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8169>)\n * [CVE-2018-8175 - WEBDAV Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8175>)\n * [CVE-2018-8201 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8201>)\n * [CVE-2018-8205 - Windows Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8205>)\n * [CVE-2018-8207 - Windows Kernel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8207>)\n * [CVE-2018-8208 - Windows Desktop Bridge Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8208>)\n * [CVE-2018-8209 - Windows Wireless Network Profile Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8209>)\n * [CVE-2018-8210 - Windows Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210>)\n * [CVE-2018-8211 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8211>)\n * [CVE-2018-8212 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8212>)\n * [CVE-2018-8214 - Windows Desktop Bridge Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8214>)\n * [CVE-2018-8215 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8215>)\n * [CVE-2018-8216 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8216>)\n * [CVE-2018-8217 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8217>)\n * [CVE-2018-8218 - Windows Hyper-V Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8218>)\n * [CVE-2018-8219 - Hypervisor Code Integrity Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8219>)\n * [CVE-2018-8221 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8221>)\n * [CVE-2018-8224 - Windows Kernel Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8224>)\n * [CVE-2018-8226 - HTTP.sys Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8226>)\n * [CVE-2018-8233 - Win32k Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8233>)\n * [CVE-2018-8234 - Microsoft Edge Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8234>)\n * [CVE-2018-8235 - Microsoft Edge Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8235>)\n * [CVE-2018-8239 - Windows GDI Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8239>)\n * [CVE-2018-8244 - Microsoft Outlook Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8244>)\n * [CVE-2018-8245 - Microsoft Office Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8245>)\n * [CVE-2018-8246 - Microsoft Excel Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8246>)\n * [CVE-2018-8247 - Microsoft Office Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8247>)\n * [CVE-2018-8248 - Microsoft Excel Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8248>)\n * [CVE-2018-8252 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8252>)\n * [CVE-2018-8254 - Microsoft SharePoint Elevation of Privilege Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8254>)\n\n### Coverage\n\n \nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detects attempts to exploit them. Please note that additional rules may be released in the future, and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \n**Snort Rules:** \n\n\n * 45628, 46927 - 46930, 46933 - 46935, 46938 - 46945, 46951 - 46958, 46961 - 46962\n", "modified": "2018-06-19T18:44:24", "published": "2018-06-12T11:58:00", "id": "TALOSBLOG:30BC73E0EDF7739A87A63A99D8A6E0D4", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/jJACfZt8sFk/ms-tuesday.html", "type": "talosblog", "title": "Microsoft Patch Tuesday - June 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2018-06-19T08:13:49", "bulletinFamily": "blog", "description": "\n\nAs a native Texan, I\u2019ve seen more than my fair share of bugs - actual physical bugs that love the hot, humid Texas climate and my curly hair for some reason. The Zero Day Initiative (ZDI) sees many bugs (of the software variety), including those that affect SCADA control systems. Fritz Sands recently walked through a deep dive into an attack on a remote procedure call (RPC) interface based on the proofs of concept from Advantech vulnerability submissions to ZDI. While Advantech\u2019s products focus on Internet of Things (IoT) and Industrial IoT, the use of RPC interfaces isn\u2019t limited to SCADA. Their use is more prevalent than you think. So if you want to get an understanding of RPC interfaces and hone your skills, you can go down the rabbit hole with Fritz and get the full details [here](<https://www.zerodayinitiative.com/blog/2018/6/7/down-the-rabbit-hole-a-deep-dive-into-an-attack-on-an-rpc-interface>).\n\n**Microsoft Security Updates**\n\nThis week\u2019s Digital Vaccine\u00ae (DV) package includes coverage for Microsoft updates released on or before June 12, 2018. This month, Microsoft released 50 security patches covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, and Microsoft Office and Office Services. Of the 50 CVEs, 11 are listed as Critical and 39 are rated Important. Five of the CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [June 2018 Security Update Review](<https://www.zerodayinitiative.com/blog/2018/6/12/the-june-2018-security-update-review>) from the Zero Day Initiative:\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2018-0871 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-0978 | 32124 | \nCVE-2018-0982 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-1036 | 32162 | \nCVE-2018-1040 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8110 | 32026 | \nCVE-2018-8111 | 32027 | \nCVE-2018-8113 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8121 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8140 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8169 | 32164 | \nCVE-2018-8175 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8201 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8205 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8207 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8208 | 32126 | \nCVE-2018-8209 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8210 | 32028 | \nCVE-2018-8211 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8212 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8213 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8214 | 32127 | \nCVE-2018-8215 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8216 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8217 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8218 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8219 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8221 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8224 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8225 | 32029 | \nCVE-2018-8226 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8227 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8229 | 32030 | \nCVE-2018-8231 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8233 | 32034 | \nCVE-2018-8234 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8235 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8236 | 32054 | \nCVE-2018-8239 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8243 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8244 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8245 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8246 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8247 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8248 | 32032 | \nCVE-2018-8249 | 32038 | \nCVE-2018-8251 | 32068 | \nCVE-2018-8252 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8254 | | Vendor Deemed Reproducibility or Exploitation Unlikely \nCVE-2018-8267 | 32065 | \n \n \n\n**Zero-Day Filters**\n\nThere are six new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Foxit (2)_**\n\n| \n\n * 31967: HTTP: Foxit Reader resolveNode Use-After-Free Vulnerability (ZDI-18-339)\n * 31969: HTTP: Foxit Reader boundItem Use-After-Free Vulnerability (ZDI-18-353) \n---|--- \n| \n \n**_Microsoft (3)_**\n\n| \n\n * 31953: HTTP: Microsoft Windows VBScript Join Function Memory Corruption Vulnerability (ZDI-18-297)\n * 31955: HTTP: Microsoft Windows Font Memory Corruption Vulnerability (ZDI-18-293)\n * 31970: HTTP: Microsoft Windows JScript defineProperty Use-After-Free Vulnerability (ZDI-18-298) \n---|--- \n| \n \n**_OMRON (1)_**\n\n| \n\n * 31965: HTTP: OMRON CX-Supervisor SCS File Parsing Buffer Overflow Vulnerability (ZDI-18-261) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-4-2018/>).\n\nThe post [TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 11, 2018](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-11-2018/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2018-06-15T12:39:57", "published": "2018-06-15T12:39:57", "id": "TRENDMICROBLOG:F2BD1E9071121715A43D46B35B2E97A7", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-june-11-2018/", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 11, 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}